我有一个Redis集群,我希望设置stunnel,以加密进出每个主/从,以及来自redis之上的HAproxy层的流量。我已使用以下配置文件配置stunnel:
pid=/var/stunnel-redis.pid
foreground = yes
debug = info
output = stunnel.log
sslVersion = all
#options = NO_SSLv2
fips = no
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[redis-server]
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/key.pem
TIMEOUTclose = 0
accept = 0.0.0.0:7001
connect = 127.0.0.1:7002
[redis-client]
client = yes
accept = 127.0.0.1:7002
connect = 127.0.0.1:6379
CAfile = /etc/stunnel/redis.pem
verify = 0
编辑我应该解释每个服务是如何设置的,网络方式。
redis-server 绑定127.0.0.1:6379
stunnel redis-server 绑定0.0.0.0:7001
stunnel redis-client 绑定127.0.0.1:7002
redis客户端连接将在0.0.0.0:7001连接到stunnel的redis-server。然后,Stunnel将在127.0.0.1:7002上连接到redis-client,而stunnel的redis-client将在127.0.0.1:6379上连接到redis服务器。
尝试运行redis-cli -h my_remote_stunnel_ip -p 7001时,我在日志中收到以下错误:
2017.01.31 09:45:11 LOG3[16062]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017.01.31 09:45:11 LOG5[16062]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
我尝试停用配置中的redis-client部分,我尝试将sslVersion更改为sslVersion = TLSv1,sslVersion = TLSv1.2。当我将sslVersion更改为sslVersion = TLSv1时,尝试连接时收到以下错误:
2017.01.31 09:38:33 LOG3[15830]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
这是由于版本不匹配造成的吗?如果是这样,怎么样?两个守护进程都在同一主机上运行。
编辑: openssl s_client -connect的输出:7001 -tls1:
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2452 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0A05C63AA7596D37B4D18B5CF377213A0B245B681E3E1CD28506E877311A862A
Session-ID-ctx:
Master-Key: 54EE658224A3BB08E25416F05CBCAB5D58EA075E7C157AEE31B94D2AA289CE694558CDF27B3EA0B8FB90738C3EEE4EE8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 12 55 cd c7 bc ab e8 6c-c7 e7 ca 9c 05 bf 5b dd .U.....l......[.
0010 - bb 17 b9 d5 68 e0 be 54-a1 b6 06 00 0a fe db 17 ....h..T........
0020 - 4a 89 93 6b 95 18 1e be-45 f9 cb a8 6c 07 5b 45 J..k....E...l.[E
0030 - ef 47 60 b7 0d 7e 51 95-ca 68 48 5f 03 5b d9 0e .G`..~Q..hH_.[..
0040 - 62 0b f5 33 bb b6 ce 03-6d d7 d3 69 12 de 3a 63 b..3....m..i..:c
0050 - db 8d 98 ba ac e6 e1 f8-9a f1 b1 50 5e 63 1a 24 ...........P^c.$
0060 - 9c ad 1d a8 ef 85 9d 64-9a 00 d7 76 b3 77 73 05 .......d...v.ws.
0070 - dc 04 94 ae c3 c7 89 3e-26 c1 25 d7 a7 f2 45 97 .......>&.%...E.
0080 - f8 2d e9 21 cc 7c 44 e2-a8 3d 93 00 e5 09 d0 38 .-.!.|D..=.....8
0090 - 53 4f 22 fd 75 52 37 f8-3d c5 0e 22 5a 55 b4 8b SO".uR7.=.."ZU..
Start Time: 1485881728
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=104