Configure Redis module to use mTLS

graceful-whale · March 6, 2025, 2:09pm

Hello !

Is it possible to configure the Redis module to use mutual TLS ? If so, could you provide some explanations on how it’s done ?

Thank you for your help.

Mike · March 6, 2025, 3:36pm

Set aside the implementation detail of Redis and tell more about what you’re looking to do, I don’t understand your use case yet.

graceful-whale · March 6, 2025, 3:44pm

I have a “cluster” of 3 Redis nodes using Redis Sentinel (with HAProxy in front), i connect to it like so from the command line :

redis-cli -p 26379 --tls --cacert ./redis.crt --cert ./redis.crt --key ./redis.key --user app --askpass -h $REDIS_HOST

I pass a CA Certificate, Certificate & Key for the mTLS, i want to connect to my Redis from KumoMTA using also the CA Certificate, Certificate & Key

graceful-whale · March 6, 2025, 3:46pm

(We are using Redis to load various configs)

Mike · March 6, 2025, 3:48pm

Aah, not to use Redis to manage TLS, to connect to Redis using TLS.

Mike · March 6, 2025, 3:49pm

Not currently, the Rust crate supports it but we haven’t had any sponsor request that.

graceful-whale · March 6, 2025, 3:54pm

Alright, thank you for your answer !

graceful-whale · March 6, 2025, 4:11pm

I have one more question on the subject: are Redis Sentinels supported ? (it seems they are supported in redis-rs) but i’m wondering if i connect to a Redis Sentinel from Kumo using the redis module, will it automatically connect me to the current Redis master ?

Mike · March 6, 2025, 4:14pm

It should, if not try setting cluster to true as seen at open - KumoMTA Docs

wez · March 6, 2025, 6:49pm

No, we don’t currently support sentinel connections

graceful-whale · March 7, 2025, 7:40am

Alright, thank you for your time

graceful-whale · March 7, 2025, 11:21am

Hello it’s me again , we have switched to Redis Cluster & to One Way TLS to make things work with Kumo.

After installing the server’s CA on the machine (inside /usr/local/share/ca-certificates/ & running update-ca-certificates after), i can connect to one of my Redis node successfully, however, from Kumo, to connect to that same node, it seems to create the connection without errors, but when doing a conn:query(), it gets stuck (no log in the console, even in DEBUG mode)

Maybe Kumo / Rust is ignoring the system certificates ? Is there an environment variable I can use to change this behavior?

The connection string that i used to successfully connect to one of my Redis node from the machine where kumod is : redis-cli -p 6379 --tls --user admin --askpass -h MY_HOST

wez · March 7, 2025, 12:23pm

redis-rs is configured to use native tls inside kumomta, so it should be using openssl + the system certificate store. It’s hard to say what might not be working there for you

graceful-whale · March 10, 2025, 11:14am

I installed kumomta from source to add some logs to debug, inside the mod-redis, i have this log :

ConnectionInfo { addr: TcpTls { host: MY_HOST, port: 6379, insecure: false, tls_params: None }

the tls_params is None, i don’t know if that’s normal or if it’s supposed to contain some certificates ?
my Redis server is expecting a one way TLS connection so maybe that’s why the query to the Redis gets stuck ?