redis module TLS authentication
aland at deployingradius.com
Tue Jul 23 15:43:04 CEST 2019
On Jul 23, 2019, at 4:50 AM, Chinnapaiyan, Nagamani <Nagamani.Chinnapaiyan at viasat.com> wrote:
> We have TLS enabled AWS elasticache.
> By default if we try to connect to redis-server with password Freeradius-DHCP server is not connecting with DB.
Yes. The standard Redis server doesn't support TLS. The C libraries we use also don't support TLS.
> Then, I established a stunnel(secure tunnel) between localhost and redis-server and connected Freeradius-DHCP to localhost. This works sometimes but most of the times we are getting "MOVED" error from redis-server(as this is in a cluster).
stunnel will connect to one Redis node. For a cluster, you will need multiple stunnels, one for each node.
> (4) redis_ippool -  >>> Sending command(s) to 127.0.0.1:6379
> (4) redis_ippool - ERROR: (0) error : MOVED 12826 naw01-dhcpdb-0001-001.naw01-dhcpdb.oovb0g.usw2.cache.amazonaws.com:6379
The standard Redis server only supports IP addresses in a MOVED command.
> (4) redis_ippool - Not IPv4/6 address, and asked not to resolve
All of the code in rlm_redis disables DNS resolution, because the standard Redis server only uses IP addresses.
In order to support this properly, we would need to update the rlm_redis module to support hostnames and TLS. This would likely involve extra configuration to look for the host names, and then create an stunnel connection for new / unknown hostnames. That work isn't trivial.
> This MOVED error will be resolved if redis_ippool retries the command many times.(I am saying this because even redis-cli does not support TLS authentication. With stunnel, redis-cli gives the same "MOVED" error. Retrying many times works there.)
> If possible how to configure number of retries in redis_ippool/redis module?
Not right now.
> Or Is there a way in which I can directly connect to redis-server from DHCP server without the need of stunnel?
More information about the Freeradius-Users