tracker issue : CF-4205963

select a category, or use search below
(searches all categories and all time range)
Title:

CF Support of Redis Sessions should support SSL/TLS connection, port 6380

| View in Tracker

Status/Resolution/Reason: To Fix//EnhancementRequired

Reporter/Name(from Bugbase): Charlie A. / ()

Created: 11/19/2019

Components: Administrator, Administrator Console

Versions: 14.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: update 5 /

Priority/Frequency: Normal /

Locale/System: / Win 2016

Vote Count: 1

In the CF Admin fields for setting up Redis-based sessions (not to be confused with Redis-based caching), there is currently no provision to enable SSL/TLS communication (over port 6380) to Redis from CF. 

There is provision in the Redis connection string for an ssl=true argument, but there is no option to enable that in the CF admin (and no means to modify the connection string, even in the underlying neo-runtime.xml file where CF stores the Redis sessionstorage information.

Please add a "use ssl/tls" checkbox on the Admin, and pass that in on the connectionstring you build for us.

This has been confirmed by a client I was working with, who found that in the Redis Client (running on the CF box), they could only connect to a redis server via ssl if they checked the "use ssl" box in the redis client. Without it, the redis client would fail to connect just like the CF Admin verification.

Then we viewed the connectionstring that his redis server (in Azure) said to use to connect, and it showed this ssl=true argument within the string...which we can't seem to "force" ourselves to put into CF.

Attachments:

Comments:

Thanks Charlie. This is a huge blocker for us right now and would really appreciate any workaround for adding "ssl=true" to the connection string that gets used by CF to connect to Azure Cache for Redis. Without that we cannot use port 6380.
Comment by Shirzad K.
31838 | November 20, 2019 12:18:29 PM GMT
I got an email from this system reporting that a few changes had been made by someone at Adobe. Since the changes are not detailed here, I'll list them for those interested : - it was changed to a feature request. I guess that makes sense for the request to add a button for enabling ssl. But it's technically a bug that we can't currently USE CF to connect to a Redis store via ssl - it was changed to "to fix", as is indicated here, but the email also showed, "Version updated to '14.0'" and "Target Version updated to 'Beta'", but all I see here is "version" set to "beta" (which can be read that this was FOUND in a beta version of 2018, and it ws NOT), and with no "fixed in build" it leaves the impression it will NOT be fixed - and I will assume the 14 in the email means cf2020. why doesn't the email use the formal versioning for the product?
Comment by Charlie A.
31902 | November 29, 2019 12:35:39 PM GMT
Hi, i'm not sure if its 100% identical, but I have recently faced issues trying to connect CF running on Linux to an AWS Elasticache Redis Cluster with encryption in transit enabled. Essentially I had to install and configure stunnel, then set the Redis Server as "localhost" in the CFIDE administrator, which enables a successful connection More info on this is detailed here: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
Comment by Chris G.
32036 | January 08, 2020 01:03:08 PM GMT