How do I connect to an Amazon ElastiCache In-Transit encryption-enabled Redis node using redis-cli?

Last updated: 2019-04-30

The Redis Command Line Interface (redis-cli) does not support SSL-enabled clients. How do I access data from an Amazon ElastiCache In-Transit encryption-enabled Redis node?

Short Description

The redis-cli client does not support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, you can use the stunnel package in your Linux-based clients. The stunnel command can create an SSL tunnel to Redis nodes specified in the stunnel configuration. After the tunnel is established, the redis-cli can be used to connect an in-transit encryption enabled cluster node.


1.    Connect to your Linux client instance using SSH and install the stunnel package:

On CentOS-based systems:

$sudo yum install stunnel

On Debian-based systems (Ubuntu 16):

$sudo apt-get install stunnel

2.    In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:

# cat /etc/stunnel/redis-cli.conf
fips = no
setuid = root
setgid = root
pid = /var/run/
debug = 7
options = NO_SSLv2
options = NO_SSLv3
  client = yes
  accept =
  connect =
  client = yes
  accept =
  connect =

In this example, the config file has two connections, the redis-cli and the redis-cli-slave. The parameters are set as follows:

  • client set to yes, to specify this stunnel instance is a client.
  • accept is set to the client IP. In this example, the master is set to the Redis default of on port 6379. The slave must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
  • connect is set to the Redis server endpoint. For more information, see Finding Connection Endpoints.

3.    Start stunnel.

$ sudo stunnel /etc/stunnel/redis-cli.conf

Use the netstat command to confirm that the tunnels have started:

# netstat -tulnp | grep -i stunnel
tcp    0      0*        LISTEN      3189/stunnel
tcp    0      0*        LISTEN      3189/stunnel

4.    You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:

# redis-cli -h localhost -p 6379 -a MySecretPassword
localhost:6379>set foo "bar"
localhost:6379>get foo

Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface.

This example uses telnet to connect to the Redis server:

# telnet localhost 6379
Connected to localhost.
Escape character is '^]'.
auth MySecretPassword
+OKget foo

Run the pkill command to stop and close the SSL tunnels:

$ sudo pkill stunnel

Did this article help you?

Anything we could improve?

Need more help?