TLS certs for redis connectivity

We are connecting to Redis which is TLS enabled. When we connect through any Redis client we need to provide the key and cert and then it connects successfully to Redis DB.

When we connect the same Redis DB through tyk gateway with useSSL: true parameter it throws error.

2021/04/22 06:19:21 http: TLS handshake error from 172.16.34.73:19986: EOF
time="Apr 22 06:19:21" level=error msg="Redis health check failed" error="storage: Redis is either down or ws not configured" liveness-check=true prefix=main
time="Apr 22 06:19:21" level=warning msg="Reconnecting storage: Redis is either down or ws not configured" prefix=pub-sub
2021/04/22 06:19:24 http: TLS handshake error from 10.72.2.0:8391: EOF
2021/04/22 06:19:24 http: TLS handshake error from 10.72.2.0:25578: EOF

Where we can specify the key and certs in tyk config file for gateway to connect to Redis.

hey @Anup_Rai
From the encyption pages on redis.io:

Client Certificate Authentication

By default, Redis uses mutual TLS and requires clients to authenticate with a valid certificate (authenticated against trusted root CAs specified by ca-cert-file or ca-cert-dir).

You may use tls-auth-clients no to disable client authentication.

Have you used a certificate on the gateway that can be validated by the root ca certs on the redis host?

Thanks. Gregor

@Anup_Rai
I’ve been discussing this with the team my initial assertion was wrong. Currently we don’t support connecting to Redis in this method, only on the transport layer. What version of Redis are you using?

We are using 6.2.1 version of Redis.

Any update on this, I’m facing the same issue.

Hi
May I know if Tyk components support mutual TLS to Redis ?
In large project, security of client and server are important, hence we need to setup mTLS between client (Tyk) and server(Redis)

If no, please provide suggestion how to proceed it ?

Thanks

May I know if Tyk components support mutual TLS to Redis ?

This is not supported. We do have this feature request in our backlog. But no timeline.

If no, please provide suggestion how to proceed it ?

You could use TLS.