Skip to content
This repository was archived by the owner on Aug 3, 2019. It is now read-only.

SSL Connections

Jump to bottom
Mark Paluch edited this page Jun 30, 2015 · 1 revision

SSL Connections

spinach supports SSL connections. Disque has no native SSL support, SSL is implemented usually by using stunnel.

An example stunnel configuration can look like:

cert=/etc/ssl/cert.pem
key=/etc/ssl/key.pem
capath=/etc/ssl/cert.pem
cafile=/etc/ssl/cert.pem
delay=yes
pid=/etc/ssl/stunnel.pid
foreground = no

[disque]
accept = 127.0.0.1:7443
connect = 127.0.0.1:7711

Note: Disque has no default SSL port, I used here 7443 as port

Next step is connecting spinach over SSL to Disque.

Connecting to Disque using DisqueURI

DisqueURI disqueUri = DisqueURI.Builder.disque("localhost").withSsl(true).withPassword("authentication").build();
DisqueClient client = new DisqueClient(disqueUri);

Connecting to Disque using String DisqueURI

DisqueClient client = new DisqueClient("disques://authentication@localhost");

Connection Procedure and Reconnect

When connecting using SSL, spinach performs an SSL handshake before you can use the connection. Plain text connections do not perform a handshake. Errors during the handshake throw RedisConnectionExceptions.

Reconnection behavior is also different to plain text connections. If an SSL handshake fails on reconnect (because of peer/certification verification or peer does not talk SSL) reconnection will be disabled for the connection. You will also find an error log entry within your logs.

Certificate Chains/Root Certificate/Self-Signed Certificates

spinach uses Java defaults for the trust store that is usually cacerts in your jre/lib/security directory. If you need to add you own root certificate, so you can import it either to cacerts or you provide an own trust store and set the necessary system properties:

System.setProperty("javax.net.ssl.trustStore", "yourtruststore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");

Host/Peer Verification

By default, spinach verifies the certificate against validity and the common name (Name validation not supported on Java 1.6, only available on Java 1.7 and higher) of the Disque host you are connecting to. This behavior can be turned off:

DisqueURI disqueUri = ...
disqueUri.setVerifyPeer(false);

or

DisqueURI disqueUri = DisqueURI.Builder.disque("host", 7443).withSsl(true).withVerifyPeer(false).build();

StartTLS

If you need to issue a StartTLS before you can use SSL, set the startTLS property of DisqueURI to true. StartTLS is disabled by default.

DisqueURI disqueUri = ...
disqueUri.setStartTls(true);

or

DisqueURI disqueUri = DisqueURI.Builder.disque("host", 7443).withSsl(true).withStartTls(true).build();

This wiki and the README document contains a lot of information, please take your time and read these instructions carefully.

If you run into any trouble, you may start with getting started.

We provide detailed changes for each spinach release.

Be sure to read the CONTRIBUTING guidelines before reporting a new lettuce issue or open a pull request.

If you have any questions about the lettuce usage or want to share some information with the community, please go to one of the following places:

More resources:

Intro

Getting started

Advanced usage

Integration and Extension

  • Codecs
  • CDI Support (future)
  • Spring Support (future)

Internals

Clone this wiki locally