Reputation: 1823
Elixir: Redix package does not work with SSL on CentOS 7
I setup Redis 5.x with stunnel to accept SSL connections from client. The setup is pretty straightforward, and I just follow the instruction from Redis site.
It is something like: stunnel accepts client requests via SSL connection and forward to redis via non-SSL connection.
On 2 of my dev computers both running Mac OS X, the setup works fine with Ruby gem redis and Elixir Redix library.
The commands are as following:
Ruby:
redis = Redis.new(host: "127.0.0.1", port: 6380, db: 3, ssl: true, password: 'SomeSecret :)')
redis.ping
Elixir:
{:ok, conn} = Redix.start_link( host: "127.0.0.1", port: 6380, ssl: true, password: "SomeSecret :)", socket_opts: [verify: :verify_none])
Redix.command(conn, ["PING"])
So I know that the redis + stunnel setup works well on 2 different Mac machines.
When I deploy the same setup to a Linux machine that run CentOS 7, the Ruby client still works fine.
However, on CentOS 7, the Elixir Redix stops working, and I get the error:
{:error, %Redix.ConnectionError{reason: :closed}}
To me, it doesn't make any sense, because the Cent OS has stunnel + redis setup is exactly the same as my 2 dev Mac machines. And the Ruby client works well on all 3 machines : 2 Mac and 1 CentOS.
However, Elixir Redix works only on the 2 Mac machines, but not on the Cent OS. Same setup, same code.
Question: Why doesn't Elixir Redix SSL code work on CentOS, while it works on Mac?
(Same setup, same code)
More information: On both Mac machines and on CentOS machine, I have:
Erlang/OTP 22 [erts-10.4.3] [source] [64-bit]
Elixir 1.9.0 (compiled with Erlang/OTP 20)
I just discover that on CentOS, in the log, there is an error:
TLS client: In state hello at tls_handshake.erl:182 generated CLIENT ALERT: Fatal - Protocol Version
Maybe that is the problem. But I don't see it on Mac machines.
Upvotes: 0
Views: 492
Answers (1)
Reputation: 41648
Given the line number in the error message, we can see that the error comes from here. Thus, this error is what we get if tls_record:is_acceptable_version returns false, which means that stunnel is suggesting a TLS version that the Elixir client doesn't want to use.
You could check which TLS versions the Elixir client is prepared to use by adding this line just before the Redix.start_link call:
IO.inspect(:ssl.versions())
And you could use Wireshark and capture traffic going to port 6380 on the loopback interface, to see which TLS version stunnel wants to use - it's one of the fields in the "Server Hello" message.
Upvotes: 1
Related Questions
- How to enable tls/ ssl in Redis 6 docker library?
- Obtaining SSL cert using Elixir and Erlang ssl module
- How to setup SSL correctly on an erlang/ elixir server?
- Unable to connect to Redis from Phoenix App
- Elixir HTTPoison getting handshake_failure
- Stunnel certificate verify failed
- mix deps.get failed (seems missing ssl?)
- elixir+hex - getting hex error for ranch_proxy_protocol ssl:ssl_accept 3 deprecated
- Problems setting up SSL locally with Phoenix/Elixir
- Elixir - problems with https URLs