The Redis Command Line Interface (redis-cli) does not support SSL-enabled clients. How do I access data from an Amazon ElastiCache In-Transit encryption-enabled Redis node?

The redis-cli client does not support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, you can use the stunnel package in your Linux-based clients. The stunnel command can create an SSL tunnel to Redis nodes specified in the stunnel configuration. After the tunnel is established, the redis-cli can be used to connect an in-transit encryption enabled cluster node.

1. Connect to your Linux client instance using SSH and install the stunnel package:

On CentOS-based systems:  

$sudo yum install stunnel

On Debian-based systems (Ubuntu 16): 

$sudo apt-get install stunnel

2. In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:

# cat /etc/stunnel/redis-cli.conf
fips = no
setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = 7
options = NO_SSLv2
options = NO_SSLv3
[redis-cli]
  client = yes
  accept = 127.0.0.1:6379
  connect = master.ssltest.wif0lh.use1.cache.amazonaws.com:6379
[redis-cli-slave]
  client = yes
  accept = 127.0.0.1:6380
  connect = ssltest-002.ssltest.wif0lh.use1.cache.amazonaws.com:6379

In this example, the config file has two connections, the redis-cli and the redis-cli-slave. The parameters are set as follows:

  • client set to yes, to specify this stunnel instance is a client.
  • accept is set to the client IP. In this example, the master is set to the Redis default of 127.0.0.1 on port 6379. The slave must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
  • connect is set to the Redis server endpoint. For more information, see Finding Connection Endpoints.

3. Start stunnel.

$ sudo stunnel /etc/stunnel/redis-cli.conf

Use the netstat command to confirm that the tunnels have started:

# netstat -tulnp | grep -i stunnel
tcp    0      0 127.0.0.1:6379      0.0.0.0:*        LISTEN      3189/stunnel
tcp    0      0 127.0.0.1:6380      0.0.0.0:*        LISTEN      3189/stunnel

4. You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:

# redis-cli -h localhost -p 6379 -a MySecretPassword
localhost:6379>set foo "bar"
OK
localhost:6379>get foo
"bar"

Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface.

This example uses telnet to connect to the Redis server:

# telnet localhost 6379
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
auth MySecretPassword
+OKget foo
$3
bar

To stop and close the SSL tunnels, kill the stunnel process:

$ sudo pkill stunnel

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-27