redis module TLS authentication

[Alan DeKok]

On Jul 23, 2019, at 4:50 AM, Chinnapaiyan, Nagamani <Nagamani.Chinnapaiyan at viasat.com> wrote:
> We have TLS enabled AWS elasticache.
> By default if we try to connect to redis-server with password Freeradius-DHCP server is not connecting with DB.

  Yes.  The standard Redis server doesn't support TLS.  The C libraries we use also don't support TLS.

> Then, I established a stunnel(secure tunnel) between localhost and redis-server and connected Freeradius-DHCP to localhost. This works sometimes but most of the times we are getting "MOVED" error from redis-server(as this is in a cluster).

  stunnel will connect to one Redis node.  For a cluster, you will need multiple stunnels, one for each node.

> (4)    redis_ippool - [1] >>> Sending command(s) to 127.0.0.1:6379
> (4)    redis_ippool - ERROR: (0) error   : MOVED 12826 naw01-dhcpdb-0001-001.naw01-dhcpdb.oovb0g.usw2.cache.amazonaws.com:6379

  The standard Redis server only supports IP addresses in a MOVED command.

> (4)    redis_ippool - Not IPv4/6 address, and asked not to resolve

  All of the code in rlm_redis disables DNS resolution, because the standard Redis server only uses IP addresses.

  In order to support this properly, we would need to update the rlm_redis module to support hostnames and TLS.  This would likely involve extra configuration to look for the host names, and then create an stunnel connection for new / unknown hostnames.  That work isn't trivial.

> This MOVED error will be resolved if redis_ippool retries the command many times.(I am saying this because even redis-cli does not support TLS authentication. With stunnel, redis-cli gives the same "MOVED" error. Retrying many times works there.)
> 
> If possible how to configure number of retries in redis_ippool/redis module?

   Not right now.

> Or Is there a way in which I can directly connect to redis-server from DHCP server without the need of stunnel?

  IPSec?

  Alan DeKok.