jedis icon indicating copy to clipboard operation
jedis copied to clipboard

Published 20 hours ago verified publisher icon redis

Support for dynamically reload SSL certificate and key?

Open ExploreNcrack opened this issue 2 years ago • 5 comments

Is it possible to dynamically reload the SSL certificate and key for the existing connection so that we can avoid making new connection when certificate and key files have changed?

ExploreNcrack avatar Jan 06 '22 23:01 ExploreNcrack

@ExploreNcrack No.

sazzad16 avatar Jan 07 '22 00:01 sazzad16

@ExploreNcrack No.

@sazzad16 So when certificate and key files have changed, all I can do is just to replace the reference of the existing connection with a new connection?

ExploreNcrack avatar Jan 07 '22 00:01 ExploreNcrack

@ExploreNcrack Yes.

sazzad16 avatar Jan 07 '22 00:01 sazzad16

Alright thank you!

ExploreNcrack avatar Jan 07 '22 00:01 ExploreNcrack

I think it might be possible. I just analysed the client and it looks like the JedisPooled has an option to set the SSLSocketFactory. So no need to create a new client or replace the reference of the existing connection. See here for the code snippet:

SSLFactory baseSslFactory = SSLFactory.builder()
    .withIdentityMaterial(Paths.get("/path/to/your/identity.jks"), "password".toCharArray())
    .withTrustMaterial(Paths.get("/path/to/your/truststore.jks"), "password".toCharArray())
    .withSwappableIdentityMaterial()
    .withSwappableTrustMaterial()
    .build();

JedisPooled jedisPooled = new JedisPooled(url, baseSslFactory.getSslSocketFactory(), baseSslFactory.getSslParameters(), sslfactory.getHostnameVerifier());

After some time when you have the new keystore/truststore either from an endpoint, or changes on the file system or from somewhere else, you can execute the following snippet to update the server ssl without the need of restarting it:

// create a new sslFactory with the updated keystore/truststore
SSLFactory updatedSslFactory = SSLFactory.builder()
    .withIdentityMaterial(Paths.get("/path/to/your/identity.jks"), "password".toCharArray())
    .withTrustMaterial(Paths.get("/path/to/your/truststore.jks"), "password".toCharArray())
    .build();

SSLFactoryUtils.reload(baseSslFactory, updatedSslFactory);

See here for the documentation of this option: Swapping KeyManager and TrustManager at runtime

This option is available within the following library here: GitHub - SSLContext Kickstart which I made, hopefully you guys will like it and hopefully it will make it easier for you all to set it up.

Hakky54 avatar Jan 19 '22 19:01 Hakky54

This issue is marked stale. It will be closed in 30 days if it is not updated.

github-actions[bot] avatar Jan 03 '24 00:01 github-actions[bot]