The Redis Command Line Interface (redis-cli) does not support SSL-enabled clients. How do I access data from an Amazon ElastiCache In-Transit encryption-enabled Redis node?

The redis-cli client does not support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, you can use the stunnel package in your Linux-based clients. The stunnel command can create an SSL tunnel to Redis nodes specified in the stunnel configuration. After the tunnel is established, the redis-cli can be used to connect an in-transit encryption enabled cluster node.

1. Connect to your Linux client instance using SSH and install the stunnel package:

On CentOS-based systems:  

$sudo yum install stunnel

On Debian-based systems (Ubuntu 16): 

$sudo apt-get install stunnel

2. In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:

# cat /etc/stunnel/redis-cli.conf
fips = no
setuid = root
setgid = root
pid = /var/run/
debug = 7
options = NO_SSLv2
options = NO_SSLv3
  client = yes
  accept =
  connect =
  client = yes
  accept =
  connect =

In this example, the config file has two connections, the redis-cli and the redis-cli-slave. The parameters are set as follows:

  • client set to yes, to specify this stunnel instance is a client.
  • accept is set to the client IP. In this example, the master is set to the Redis default of on port 6379. The slave must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
  • connect is set to the Redis server endpoint. For more information, see Finding Connection Endpoints.

3. Start stunnel.

$ sudo stunnel /etc/stunnel/redis-cli.conf

Use the netstat command to confirm that the tunnels have started:

# netstat -tulnp | grep -i stunnel
tcp    0      0*        LISTEN      3189/stunnel
tcp    0      0*        LISTEN      3189/stunnel

4. You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:

# redis-cli -h localhost -p 6379 -a MySecretPassword
localhost:6379>set foo "bar"
localhost:6379>get foo

Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface.

This example uses telnet to connect to the Redis server:

# telnet localhost 6379
Connected to localhost.
Escape character is '^]'.
auth MySecretPassword
+OKget foo

To stop and close the SSL tunnels, kill the stunnel process:

$ sudo pkill stunnel

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-27