hiredis
hiredis copied to clipboard
if my TLS key has a password, new version can support it?
To rephrase this issue, hiredis does not expose SSL_CTX_set_default_passwd_cb_userdata. If it did, we could use an encrypted key.
the solution for hiredis is to not use redisCreateSSLContext(), but to create an SSL_CTX by hand
simplified without error checking
SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_load_verify_locations(ssl_ctx, tls_ca_cert_file, NULL);
SSL_CTX_use_certificate_chain_file(ssl_ctx, tls_cert_file);
SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_key_file, SSL_FILETYPE_PEM);
SSL_CTX_set_default_passwd_cb(ssl_ctx, tlsPasswordCallback);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *) tls_key_file_pass);
where tlsPasswordCallback()
is (copied from redis)
static int tlsPasswordCallback(char *buf, int size, int rwflag, void *u) {
const char *pass = u;
size_t pass_len;
if (!pass) return -1;
pass_len = strlen(pass);
if (pass_len > (size_t) size) return -1;
memcpy(buf, pass, pass_len);
return (int) pass_len;
}
then instead of calling redisInitiateSSLWithContext()
one does something like
SSL *ssl = SSL_new(conn->rr->ssl);
assert(ssl != NULL);
if (redisInitiateSSL(&c, ssl) != REDIS_OK) {
SSL_free(ssl);
}
Closing this issue, as I think OP answered their own question.
wasn't the OP, was answering the Q though
Apologies, I misread that. Thanks for answsering!