TLS profiles for Redis Cloud are to become outdated

[joniredis]

The ioredis library comes with predefined TLS profiles containing the public CAs for Redis Cloud Fixed and Flexible subscriptions.

So far, the leaf certificates for both Redis Cloud tiers have been signed by a self-signed chain. However, shortly we will start replacing all leaf certificates across Redis Cloud by certificates signed by GlobalSign. For that purpose, we are now publishing a new certificate PEM bundle that includes the public chains for both the old Fixed and Flexible self-signed CAs, as well as the GlobalSign CA. We are advising our customers to start using this bundle as of now in order to avoid any disruption to their services when the current certificates will be replaced.

The PEM bundle contains 5 certificates:

• Fixed root CA
• Flexible root CA + Intermediate CA
• GlobalSign root CA + Intermediate CA

$ keytool -printcert -file ~/Desktop/redis_ca.pem | grep "Owner"
Owner: CN=SSL Certification Authority, O=Garantia Data
Owner: CN=RCP Intermediate Certificate Authority, O=RedisLabs, ST=CA, C=US
Owner: CN=RedisLabs Root Certificate Authority, O=RedisLabs, L=CA, ST=CA, C=US
Owner: CN=GlobalSign Atlas R3 OV TLS CA 2022 Q2, O=GlobalSign nv-sa, C=BE
Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

Since this ioredis currently comes with the default TLS profiles for Redis Cloud, it seems that those should be replaced as well at a minimum.

Having said that, while discussing with the team within Redis, the consensus is that ioredis should ideally not include any TLS profile for customers. This will not only avoid the burden on the library maintainers to continue updating the TLS profiles, but also it will require for users of this library to explicitly be aware of the chains they trust for their applications.

WDYT?

Disclaimer: I am a product manager for Redis Cloud.

[luin]

Hey @joniredis 👋,

Having said that, while discussing with the team within Redis, the consensus is that ioredis should ideally not include any TLS profile for customers. This will not only avoid the burden on the library maintainers to continue updating the TLS profiles, but also it will require for users of this library to explicitly be aware of the chains they trust for their applications.

That makes sense!

Since this ioredis currently comes with the default TLS profiles for Redis Cloud, it seems that those should be replaced as well at a minimum.

Do you have a specific timeline for replacing the certificates and the current certificates becomes not work?

[joniredis]

@luin at the moment we are testing the new certificates on selected databases and depending on that the results we will gradually roll out to new and existing databases. Likely this will happen over the course of the next six months or so.

Depending on your position of whether to include the Redis Cloud TLS profiles by default or not, I would suggest to immediately replace the existing TLS profile public certificates by the new single bundle which will work on both existing certificates for Fixed and Flexible, and also be prepared for the new GlobalSign certificates. Perhaps sometime after that as a breaking change, you could consider shipping the library without the defaults.

[luin]

I'm going to deprecate built-in profiles in the next major version and have updated the docs. Is it possible for you to provide a Redis Cloud database instance with TLS support so that I can use them for testing?

[luin]

@joniredis Thanks for that! I created a PR #1637 to update certificates and I've tested that it was able to connect to the endpoint you provided. Can you or anyone in your team review the PR?

[github-actions]

🎉 This issue has been resolved in version 5.2.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[joniredis]

@luin thanks so much for your support!