Support for SSL

Question

Support for SSL

sorvis opened this issue 3 years ago · comments

Steven Orvis commented 3 years ago

Would it be possible to add support for SSL?

Jiajing LU · Answer 1 · Wed Aug 11 2021 09:28:45 GMT+0800 (China Standard Time)

Would it be possible to add support for SSL?

I suppose the tls support has been added recently. Does #32 (comment) this comment help?

Steven Orvis · Answer 2 · Wed Aug 11 2021 20:48:36 GMT+0800 (China Standard Time)

@lujiajing1126

Thank you for the fast response that was exactly what I was looking for! I just missed it since its not in the readme. Created a PR to fix that for future me :-)

After utilizing the --tls switch I'm finding this error about having issues verifying the certificate. Is there anything that can be done to allow it to pass by that certificate and accept it?

"failed - unable to verify the first certificate"

Jiajing LU · Answer 3 · Wed Aug 11 2021 20:51:07 GMT+0800 (China Standard Time)

@lujiajing1126

Thank you for the fast response that was exactly what I was looking for! I just missed it since its not in the readme. Created a PR to fix that for future me :-)

After utilizing the --tls switch I'm finding this error about having issues verifying the certificate. Is there anything that can be done to allow it to pass by that certificate and accept it?

"failed - unable to verify the first certificate"

So I understand you are using a custom TLS certificate?

Steven Orvis · Answer 4 · Wed Aug 11 2021 21:00:33 GMT+0800 (China Standard Time)

Yes I believe you are right the custom company certificate is what it is complaining about.

Jiajing LU · Answer 5 · Wed Aug 11 2021 22:23:35 GMT+0800 (China Standard Time)

Yes I believe you are right the custom company certificate is what it is complaining about.

I will try to add customized options within this week. Or would you like to contribute this feature?

Steven Orvis · Answer 6 · Thu Aug 12 2021 02:49:22 GMT+0800 (China Standard Time)

I took a quick look, but I don't exactly see the how to implement. I did try setting this environment variable and it doesn't crash but it does seem to hang so I'm not sure if that's the right path.

export NODE_TLS_REJECT_UNAUTHORIZED=0 && rdcli -h .......

Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

Jiajing LU · Answer 7 · Thu Aug 12 2021 08:05:01 GMT+0800 (China Standard Time)

I took a quick look, but I don't exactly see the how to implement. I did try setting this environment variable and it doesn't crash but it does seem to hang so I'm not sure if that's the right path.
export NODE_TLS_REJECT_UNAUTHORIZED=0 && rdcli -h .......

Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

Generally speaking, there may be two ways,

Add option to rdcli to skip TLS cert verification,
Add option to rdcli to allow custom certification.

For rdcli, it just exposes options provided by the underlying redis library.

Steven Orvis · Answer 8 · Tue Oct 26 2021 00:04:13 GMT+0800 (China Standard Time)

@lujiajing1126 seems like I'm not going to get around to making the change. I did find another work around is to use sclient then redirect the port something like this:

sclient securedHost:123 localhost:123 &

That redirects the traffic locally to make it appear as an unsecured call so the certificate validation is ignored. Given the work around I'm not sure if you would like to update the tool later or if you'd like I could make a PR to update the read-me to mention the work around.

As you said though allowing custom certificates would be good from a security perspective.