dice icon indicating copy to clipboard operation
dice copied to clipboard
verified publisher icon DiceDB

Add TLS support to DiceDB

Open JyotinderSingh opened this issue 1 year ago • 16 comments

To improve security when exposing a DiceDB instance to the open internet, we need to implement TLS support. This will allow encrypted communication between clients and the DiceDB server, protecting data in transit. We should implement support for both HTTPS (for web-based interactions) and Secure RESP (for Redis-compatible clients).

Tasks:

  1. Research and choose a Go TLS library (e.g., crypto/tls from the standard library)
  2. Implement TLS configuration:
    • Add configuration options for TLS cert and key files
    • Create a TLS configuration struct with sensible defaults
    • Allow users to customize TLS settings via configuration
  3. Modify the server to support TLS:
    • Update the main listener to use TLS when enabled
    • Implement graceful fallback to non-TLS if not configured
  4. Add HTTPS support:
    • Modify HTTP handlers to work with TLS
  5. Add TLS-specific commands:
    • Implement a "TLS" command to query TLS status
    • Add ability to switch to TLS mid-session (similar to Redis STARTTLS)
  6. Testing:
    • Add unit tests for TLS configuration and connection handling
    • Implement integration tests to verify end-to-end TLS functionality
    • Test with various Redis clients to ensure compatibility
  7. Performance considerations:
    • Benchmark TLS vs non-TLS performance
    • Implement session caching or resumption if needed for performance
    • Consider supporting TLS 1.3 for improved performance and security

JyotinderSingh avatar Sep 12 '24 14:09 JyotinderSingh

Please can this be assigned to me.

tdadadavid avatar Sep 12 '24 14:09 tdadadavid

Please can this be assigned to me.

Assigned!

JyotinderSingh avatar Sep 12 '24 14:09 JyotinderSingh

Just to drop my update, this doc contains my ongoing research. I guess we will discuss this on thursday call

tdadadavid avatar Sep 17 '24 19:09 tdadadavid

Hello @tdadadavid,

There has been no activity on this issue for the past 5 days. It would be awesome if you keep posting updates to this issue so that we know you are actively working on it.

We are really eager to close this issue at the earliest, hence if we continue to see the inactivity, we will have to reassign the issue to someone else. We are doing this to ensure that the project maintains its momentum and others are not blocked on this work.

Just drop a comment with the current status of the work or share any issues you are facing. We can always chip in to help you out.

Thanks again.

arpitbbhayani avatar Oct 03 '24 14:10 arpitbbhayani

Hello @tdadadavid,

There has been no activity on this issue for the past 5 days. It would be awesome if you keep posting updates to this issue so that we know you are actively working on it.

We are really eager to close this issue at the earliest, hence if we continue to see the inactivity, we will have to reassign the issue to someone else. We are doing this to ensure that the project maintains its momentum and others are not blocked on this work.

Just drop a comment with the current status of the work or share any issues you are facing. We can always chip in to help you out.

Thanks again.

arpitbbhayani avatar Oct 09 '24 02:10 arpitbbhayani

@JyotinderSingh, please can this be assigned to another person, I am not chanced to work on this now. Thanks for the opportunity 🙏

tdadadavid avatar Oct 13 '24 21:10 tdadadavid

Can I take it ?

RishabhC-137 avatar Oct 13 '24 21:10 RishabhC-137

Can I take it ?

Sure, assigned

JyotinderSingh avatar Oct 14 '24 02:10 JyotinderSingh

Hello @RishabhC-137,

There has been no activity on this issue for the past 5 days. It would be awesome if you keep posting updates to this issue so that we know you are actively working on it.

We are really eager to close this issue at the earliest, hence if we continue to see the inactivity, we will have to reassign the issue to someone else. We are doing this to ensure that the project maintains its momentum and others are not blocked on this work.

Just drop a comment with the current status of the work or share any issues you are facing. We can always chip in to help you out.

Thanks again.

arpitbbhayani avatar Oct 24 '24 13:10 arpitbbhayani

I've been working on the issue and will be making a PR in the next few days. If I encounter any issues, I'll drop a comment. Thank you for your patience! @arpitbbhayani

RishabhC-137 avatar Oct 24 '24 14:10 RishabhC-137

Hi @arpitbbhayani, I wanted to provide a quick update. I was unwell last weeks, which caused a delay in my progress. However, I am actively working on it now and plan to raise a pull request soon. Thank you for your understanding!

RishabhC-137 avatar Nov 03 '24 07:11 RishabhC-137

@RishabhC-137 are you still working on it, if not can i take this up?

tarun-29 avatar Dec 01 '24 16:12 tarun-29

@RishabhC-137 Are you still working on it ? Can I pick this up if you are not ? Or can you please share your draft work ?

vpsinghg avatar Dec 02 '24 04:12 vpsinghg

@tarun-29 @vpsinghg Yes, I am still working on it.

RishabhC-137 avatar Dec 02 '24 04:12 RishabhC-137

Hi @arpitbbhayani, @JyotinderSingh! I believe for performance considerations, the DiceDB server is implemented in such a way as to use raw sockets directly using the syscall package, instead of using the net/http package. In that case, to implement a TLS server, we can't use ListenAndServeTLS method from net/http. Instead, we need to find a way to make it work with sockets. Is my understanding correct?

roopeshsn avatar Mar 08 '25 04:03 roopeshsn

To get clarified, we are not using RESP as a payload for TCP, right? It looks like we didn't when I read Read, Write methods in internal/server/ironhawk/netconn.go

roopeshsn avatar Mar 08 '25 04:03 roopeshsn