TLS Support
Getting Started#
Building#
To build with TLS support you'll need OpenSSL development libraries (e.g. libssl-dev on Debian/Ubuntu).
KeyDB is now built with TLS enabled by default, where all KeyDB packages and
distributions are shipped with TLS enabled. To build without TLS support you
will need to run make BUILD_TLS=no.
Tests#
To run KeyDB test suite with TLS, you'll need TLS support for TCL (i.e.
tcl-tls package on Debian/Ubuntu).
Run
./utils/gen-test-certs.shto generate a root CA and a server certificate.Run
./runtest --tlsor./runtest-cluster --tlsto run KeyDB and Redis Cluster tests in TLS mode.
Running manually#
To manually run a KeyDB server with TLS mode (assuming gen-test-certs.sh was
invoked so sample certificates/keys are available):
To connect to this KeyDB server with keydb-cli:
This will disable TCP and enable TLS on port 6379. It's also possible to have both TCP and TLS available, but you'll need to assign different ports.
To make a Replica connect to the master using TLS, use --tls-replication yes,
and to make KeyDB Cluster use TLS across nodes use --tls-cluster yes.
Connections#
All socket operations now go through a connection abstraction layer that hides I/O and read/write event handling from the caller.
Note that unlike Redis, KeyDB fully supports multithreading of TLS connections.
To-Do List#
- keydb-benchmark support. The current implementation is a mix of using hiredis for parsing and basic networking (establishing connections), but directly manipulating sockets for most actions. This will need to be cleaned up for proper TLS support. The best approach is probably to migrate to hiredis async mode.
- keydb-cli
--slaveand--rdbsupport.
Multi-port#
Consider the implications of allowing TLS to be configured on a separate port, making KeyDB listening on multiple ports:
- Startup banner port notification
- Proctitle
- How replicas announce themselves
- Cluster bus port calculation