How to securely connect to ElastiCache Redis instances?

Question

I have a few AWS Elasticache clusters (redis 5.0.6 w/ cluster mode off).
I have to connect to them using `--insecure` in:
```
docker run -it --rm redis redis-cli --verbose -h ***.cache.amazonaws.com --tls --insecure
```
How do I connect more securely without using `--insecure` ?
These clusters are all in the same VPC.
I have another redis 5.0.6 cluster, on a different VPC and I don't have to use `--insecure`.

I've checked the certificate of the redis point using `openssl s_client -connect ***.cache.amazonaws.com:6379`

Excerpt of openssl output (for server that needed `--insecure`:
```
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.cccccc.bbbbb.aaa.cache.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/CN=*.cccccc.bbbbb.aaa.cache.amazonaws.com
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
 1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
subject=/CN=*.cccccc.bbbbb.aaa.cache.amazonaws.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5115 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 1BFF846257522719FF5F8A4361C456875C5E22BB60F9F098B781A01904E0104E
    Session-ID-ctx:
    Master-Key: 31AB1BB12538735DB42BF8A85D7E4FA4849F4C4681650375D0D3FD5DE145E40AC670FCCD0A7755C3CAE3473C70256BFC
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1644444088
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
```

Answer

Hello,

The `insecure` flag on redis-cli skips the certificate validation, and allows the use of "untrusted" (or unrecognized) certificates to establish the TLS/SSL session.
Technically, data in-transit is encrypted, but you haven't confirmed if the remote peer is actually who it claims to be, hence it is considered insecure.

In your case, the docker container does not include the Amazon Root CA (Certificate Authority) used to sign Elasticache certificates.

This can be easily overcome by installing the ca-certificates package (package name valid on Debian, which is the base Operating System for Redis images).

As an example:
```
$ docker run -it --rm redis /bin/bash -c "apt-get update && apt-get install ca-certificates -y && redis-cli --verbose -h ***.cache.amazonaws.com --tls"
```

Verifying the package contents:
```
# dpkg -L ca-certificates | grep Amazon
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_3.crt
/usr/share/ca-certificates/mozilla/Amazon_Root_CA_4.crt
```

You probably want to update or create a custom image including the ca-certificates package so you don't need to install it every time the container starts.

How to securely connect to ElastiCache Redis instances?

相關內容