I have a Redis cluster that I wish to setup stunnel on for the purpose of encrypting traffic to and from each master/slave, and to and from the HAproxy layer above redis. I have configured stunnel with the following configuration file:
pid=/var/stunnel-redis.pid
foreground = yes
debug = info
output = stunnel.log
sslVersion = all
#options = NO_SSLv2
fips = no
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[redis-server]
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/key.pem
TIMEOUTclose = 0
accept = 0.0.0.0:7001
connect = 127.0.0.1:7002
[redis-client]
client = yes
accept = 127.0.0.1:7002
connect = 127.0.0.1:6379
CAfile = /etc/stunnel/redis.pem
verify = 0
EDIT I should explain how each service is setup, network-wise.
redis-server binds 127.0.0.1:6379
stunnel redis-server binds 0.0.0.0:7001
stunnel redis-client binds 127.0.0.1:7002
A redis client connection will connect to stunnel's redis-server on 0.0.0.0:7001. Stunnel will then connect to the redis-client on 127.0.0.1:7002, and stunnel's redis-client will connect to the redis server on 127.0.0.1:6379.
When attempting to run redis-cli -h my_remote_stunnel_ip -p 7001
I receive the following error in the logs:
2017.01.31 09:45:11 LOG3[16062]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017.01.31 09:45:11 LOG5[16062]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I have tried disabling the redis-client
section in the config, I have tried changing sslVersion
to sslVersion = TLSv1
, sslVersion = TLSv1.2
. When I change sslVersion
to sslVersion = TLSv1
I receive the following error upon attempting connection:
2017.01.31 09:38:33 LOG3[15830]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Is this due to a version mismatch? And if so, how? Both daemons are running on the same host.
EDIT: Output of openssl s_client -connect :7001 -tls1:
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2452 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0A05C63AA7596D37B4D18B5CF377213A0B245B681E3E1CD28506E877311A862A
Session-ID-ctx:
Master-Key: 54EE658224A3BB08E25416F05CBCAB5D58EA075E7C157AEE31B94D2AA289CE694558CDF27B3EA0B8FB90738C3EEE4EE8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 12 55 cd c7 bc ab e8 6c-c7 e7 ca 9c 05 bf 5b dd .U.....l......[.
0010 - bb 17 b9 d5 68 e0 be 54-a1 b6 06 00 0a fe db 17 ....h..T........
0020 - 4a 89 93 6b 95 18 1e be-45 f9 cb a8 6c 07 5b 45 J..k....E...l.[E
0030 - ef 47 60 b7 0d 7e 51 95-ca 68 48 5f 03 5b d9 0e .G`..~Q..hH_.[..
0040 - 62 0b f5 33 bb b6 ce 03-6d d7 d3 69 12 de 3a 63 b..3....m..i..:c
0050 - db 8d 98 ba ac e6 e1 f8-9a f1 b1 50 5e 63 1a 24 ...........P^c.$
0060 - 9c ad 1d a8 ef 85 9d 64-9a 00 d7 76 b3 77 73 05 .......d...v.ws.
0070 - dc 04 94 ae c3 c7 89 3e-26 c1 25 d7 a7 f2 45 97 .......>&.%...E.
0080 - f8 2d e9 21 cc 7c 44 e2-a8 3d 93 00 e5 09 d0 38 .-.!.|D..=.....8
0090 - 53 4f 22 fd 75 52 37 f8-3d c5 0e 22 5a 55 b4 8b SO".uR7.=.."ZU..
Start Time: 1485881728
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=104