imiric/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Redis TLS test


Run sh gen-test-certs.sh to generate the TLS certificates.


Tweak docker-compose.yml as needed (e.g. to disable TLS comment out the
REDIS_TLS* env vars), and run docker-compose up.


## docker-compose.yml
services:
  redis:
    image: docker.io/bitnami/redis:7.0.8
    user: root
    environment:
      - ALLOW_EMPTY_PASSWORD=false
      - REDIS_PASSWORD=tjkbZ8jrwz3pGiku
      - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
      - REDIS_TLS_CERT_FILE=/tls/redis.crt
      - REDIS_TLS_KEY_FILE=/tls/redis.key
      - REDIS_TLS_CA_FILE=/tls/ca.crt
      - REDIS_TLS_ENABLED=yes
      - REDIS_TLS_PORT=6379
      - REDIS_EXTRA_FLAGS=--loglevel verbose --tls-auth-clients optional
        #- REDIS_EXTRA_FLAGS=--loglevel verbose
    ports:
      - '6379:6379'
    volumes:
      - 'redis_data:/bitnami/redis/data'
      - ./tests/tls:/tls

volumes:
  redis_data:
    driver: local

## gen-test-certs.sh
#!/bin/bash

# Generate some test certificates which are used by the regression test suite:
#
#   tests/tls/ca.{crt,key}          Self signed CA certificate.
#   tests/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tests/tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tests/tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tests/tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tests/tls/${name}.key
    local certfile=tests/tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req \
        -new -sha256 \
        -subj "/O=Redis Test/CN=$cn" \
        -key $keyfile | \
        openssl x509 \
            -req -sha256 \
            -CA tests/tls/ca.crt \
            -CAkey tests/tls/ca.key \
            -CAserial tests/tls/ca.txt \
            -CAcreateserial \
            -days 365 \
            $opts \
            -out $certfile
}

mkdir -p tests/tls
[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
openssl req \
    -x509 -new -nodes -sha256 \
    -key tests/tls/ca.key \
    -days 3650 \
    -subj '/O=Redis Test/CN=Certificate Authority' \
    -out tests/tls/ca.crt

cat > tests/tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server

[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_

generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048
	services:
	redis:
	image: docker.io/bitnami/redis:7.0.8
	user: root
	environment:
	- ALLOW_EMPTY_PASSWORD=false
	- REDIS_PASSWORD=tjkbZ8jrwz3pGiku
	- REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
	- REDIS_TLS_CERT_FILE=/tls/redis.crt
	- REDIS_TLS_KEY_FILE=/tls/redis.key
	- REDIS_TLS_CA_FILE=/tls/ca.crt
	- REDIS_TLS_ENABLED=yes
	- REDIS_TLS_PORT=6379
	- REDIS_EXTRA_FLAGS=--loglevel verbose --tls-auth-clients optional
	#- REDIS_EXTRA_FLAGS=--loglevel verbose
	ports:
	- '6379:6379'
	volumes:
	- 'redis_data:/bitnami/redis/data'
	- ./tests/tls:/tls

	volumes:
	redis_data:
	driver: local
	#!/bin/bash

	# Generate some test certificates which are used by the regression test suite:
	#
	# tests/tls/ca.{crt,key} Self signed CA certificate.
	# tests/tls/redis.{crt,key} A certificate with no key usage/policy restrictions.
	# tests/tls/client.{crt,key} A certificate restricted for SSL client usage.
	# tests/tls/server.{crt,key} A certificate restricted for SSL server usage.
	# tests/tls/redis.dh DH Params file.

	generate_cert() {
	local name=$1
	local cn="$2"
	local opts="$3"

	local keyfile=tests/tls/${name}.key
	local certfile=tests/tls/${name}.crt

	[ -f $keyfile ] \|\| openssl genrsa -out $keyfile 2048
	openssl req \
	-new -sha256 \
	-subj "/O=Redis Test/CN=$cn" \
	-key $keyfile \| \
	openssl x509 \
	-req -sha256 \
	-CA tests/tls/ca.crt \
	-CAkey tests/tls/ca.key \
	-CAserial tests/tls/ca.txt \
	-CAcreateserial \
	-days 365 \
	$opts \
	-out $certfile
	}

	mkdir -p tests/tls
	[ -f tests/tls/ca.key ] \|\| openssl genrsa -out tests/tls/ca.key 4096
	openssl req \
	-x509 -new -nodes -sha256 \
	-key tests/tls/ca.key \
	-days 3650 \
	-subj '/O=Redis Test/CN=Certificate Authority' \
	-out tests/tls/ca.crt

	cat > tests/tls/openssl.cnf <<_END_
	[ server_cert ]
	keyUsage = digitalSignature, keyEncipherment
	nsCertType = server

	[ client_cert ]
	keyUsage = digitalSignature, keyEncipherment
	nsCertType = client
	_END_

	generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
	generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
	generate_cert redis "Generic-cert"

	[ -f tests/tls/redis.dh ] \|\| openssl dhparam -out tests/tls/redis.dh 2048