start_server {tags {"tls"}} { if {$::tls} { package require tls test {TLS: Not accepting non-TLS connections on a TLS port} { set s [redis [srv 0 host] [srv 0 port]] catch {$s PING} e set e } {*I/O error*} test {TLS: Verify tls-auth-clients behaves as expected} { set s [redis [srv 0 host] [srv 0 port]] ::tls::import [$s channel] catch {$s PING} e assert_match {*error*} $e r CONFIG SET tls-auth-clients no set s [redis [srv 0 host] [srv 0 port]] ::tls::import [$s channel] catch {$s PING} e assert_match {PONG} $e r CONFIG SET tls-auth-clients optional set s [redis [srv 0 host] [srv 0 port]] ::tls::import [$s channel] catch {$s PING} e assert_match {PONG} $e r CONFIG SET tls-auth-clients yes set s [redis [srv 0 host] [srv 0 port]] ::tls::import [$s channel] catch {$s PING} e assert_match {*error*} $e } test {TLS: Verify tls-protocols behaves as expected} { r CONFIG SET tls-protocols TLSv1.2 set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 0}] catch {$s PING} e assert_match {*I/O error*} $e set s [redis [srv 0 host] [srv 0 port] 0 1 {-tls1.2 1}] catch {$s PING} e assert_match {PONG} $e r CONFIG SET tls-protocols "" } test {TLS: Verify tls-ciphers behaves as expected} { r CONFIG SET tls-protocols TLSv1.2 r CONFIG SET tls-ciphers "DEFAULT:-AES128-SHA256" set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}] catch {$s PING} e assert_match {*I/O error*} $e set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES256-SHA256"}] catch {$s PING} e assert_match {PONG} $e r CONFIG SET tls-ciphers "DEFAULT" set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "-ALL:AES128-SHA256"}] catch {$s PING} e assert_match {PONG} $e r CONFIG SET tls-protocols "" r CONFIG SET tls-ciphers "DEFAULT" } test {TLS: Verify tls-prefer-server-ciphers behaves as expected} { r CONFIG SET tls-protocols TLSv1.2 r CONFIG SET tls-ciphers "AES128-SHA256:AES256-SHA256" set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}] catch {$s PING} e assert_match {PONG} $e assert_equal "AES256-SHA256" [dict get [::tls::status [$s channel]] cipher] r CONFIG SET tls-prefer-server-ciphers yes set s [redis [srv 0 host] [srv 0 port] 0 1 {-cipher "AES256-SHA256:AES128-SHA256"}] catch {$s PING} e assert_match {PONG} $e assert_equal "AES128-SHA256" [dict get [::tls::status [$s channel]] cipher] r CONFIG SET tls-protocols "" r CONFIG SET tls-ciphers "DEFAULT" } test {TLS: Verify tls-cert-file is also used as a client cert if none specified} { set master [srv 0 client] set master_host [srv 0 host] set master_port [srv 0 port] # Use a non-restricted client/server cert for the replica set redis_crt [format "%s/tests/tls/redis.crt" [pwd]] set redis_key [format "%s/tests/tls/redis.key" [pwd]] start_server [list overrides [list tls-cert-file $redis_crt tls-key-file $redis_key] \ omit [list tls-client-cert-file tls-client-key-file]] { set replica [srv 0 client] $replica replicaof $master_host $master_port wait_for_condition 30 100 { [string match {*master_link_status:up*} [$replica info replication]] } else { fail "Can't authenticate to master using just tls-cert-file!" } } } test {TLS: switch between tcp and tls ports} { set srv_port [srv 0 port] # TLS set rd [redis [srv 0 host] $srv_port 0 1] $rd PING # TCP $rd CONFIG SET tls-port 0 $rd CONFIG SET port $srv_port $rd close set rd [redis [srv 0 host] $srv_port 0 0] $rd PING # TLS $rd CONFIG SET port 0 $rd CONFIG SET tls-port $srv_port $rd close set rd [redis [srv 0 host] $srv_port 0 1] $rd PING $rd close } test {TLS: Working with an encrypted keyfile} { # Create an encrypted version set keyfile [lindex [r config get tls-key-file] 1] set keyfile_encrypted "$keyfile.encrypted" exec -ignorestderr openssl rsa -in $keyfile -out $keyfile_encrypted -aes256 -passout pass:1234 2>/dev/null # Using it without a password fails catch {r config set tls-key-file $keyfile_encrypted} e assert_match {*Unable to update TLS*} $e # Now use a password r config set tls-key-file-pass 1234 r config set tls-key-file $keyfile_encrypted } } }