if my TLS key has a password, new version can support it？

[funnyleo]

[sjpotter]

To rephrase this issue, hiredis does not expose SSL_CTX_set_default_passwd_cb_userdata. If it did, we could use an encrypted key.

[sjpotter]

the solution for hiredis is to not use redisCreateSSLContext(), but to create an SSL_CTX by hand

simplified without error checking

SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_load_verify_locations(ssl_ctx, tls_ca_cert_file, NULL);
SSL_CTX_use_certificate_chain_file(ssl_ctx, tls_cert_file);
SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_key_file, SSL_FILETYPE_PEM);
SSL_CTX_set_default_passwd_cb(ssl_ctx, tlsPasswordCallback);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *) tls_key_file_pass);

where tlsPasswordCallback() is (copied from redis)

static int tlsPasswordCallback(char *buf, int size, int rwflag, void *u) {
    const char *pass = u;
    size_t pass_len;

    if (!pass) return -1;
    pass_len = strlen(pass);
    if (pass_len > (size_t) size) return -1;
    memcpy(buf, pass, pass_len);

    return (int) pass_len;
}

then instead of calling redisInitiateSSLWithContext() one does something like

SSL *ssl = SSL_new(conn->rr->ssl);
assert(ssl != NULL);
if (redisInitiateSSL(&c, ssl) != REDIS_OK) {
    SSL_free(ssl);
}

[michael-grunder]

Closing this issue, as I think OP answered their own question.

[sjpotter]

wasn't the OP, was answering the Q though

[michael-grunder]

Apologies, I misread that. Thanks for answsering!