CODEWITHSUNDEEP
node.jssslredisbull
jurijus01
jurijus01

Reputation: 37

How to impletent complete - not partial - TLS protection for connections of Bull.js to Redis server?

Talking about this bull.js library: https://github.com/OptimalBits/bull

So far, the only working way to do TLS for Bull.js connections to Redis server seems to be:

const someQueue = new Queue("someQueue", {
  redis: {
    host: process.env.REDIS_HOST,
    port: process.env.REDIS_PORT,
    password: process.env.REDIS_PASS,

    tls: {
      servername: process.env.REDIS_HOST,
    },
  },
});

However, this is a half-ass protection. This only protects from eavesdropping, but not from man-in-the-middle. The server verifies the client hostname and that's it. Man-in-the-middle can fully do it with a certificate of any CA - should they happen to know the domain name of redis host.

For full TLS protection rootCA cert, server cert, client cert are used. All that is supported by Redis, because it is documented in default redis.conf file.

The question is - where is all that in Bull.js settings? How to set the above-mentioned opttions? I have found no such examples. For some other Redis clients - yes, but nothing for bull.js .

Any ideas are very appreciated!

Upvotes: 0

Views: 48

Answers (1)

Steffen Ullrich
Steffen Ullrich

Reputation: 123531

Please follow the documentation:

  • redis is RedisOpts, which is documented as "RedisOpts are passed directly to ioredis constructor, check ioredis for details."
  • in ioredis you'll then find TLS Options with then refers to tls.connect for the details:
const redis = new Redis({
  host: "localhost",
  tls: {
    // Refer to `tls.connect()` section in
    // https://nodejs.org/api/tls.html
    // for all supported options
    ca: fs.readFileSync("cert.pem"),
  },
});
  • tls.connect documents additional options as "...: tls.createSecureContext() options that are used if the secureContext option is missing, otherwise they are ignored."
  • and finally in tls.createSecureContext options you'll have everything you need: cert and key for client certificates, ca as trust anchor for server certificate and many more.

How to impletent complete - not partial - TLS protection for connections of Bull.js to Redis server?

Apart from this your code already provides already "complete" protection. The ca value does not need to be explicitly given, since there are defaults. So it should already have properly checked the server certificate and not simply accept arbitrary certificates from untrusted CA just because the hostname matches.

As for client certificate: this is not used for protection but instead for authentication of the client against the server.

Upvotes: 1

Related Questions