Redis 6.0 offers two great security features: TLS and ACL. The authentication mechanism for users is still password that is shared between client and redis server. This shared password couples client and server and makes it necessary to co-ordinate. Supporting mutual authentication over TLS will eliminate this co-ordination.
Comment From: yossigo
@vkasar This is a great idea, I think it even came up a few times in the past. Do you think just applying a pattern on the certificate subject DN would be sufficient?
Comment From: vkasar
@yossigo Good to know you think it is a great idea. The attributes of subject DN that are used for mutual authentication vary wildly. To keep things flexible in redis, we should accept any combination of at-least UID, OU and CN. Examples:
# Allow certificate with matching value for attribute UID in the DN for user alice allow-distinguished-name alice UID=u1 # Allow certificate with matching value for attribute CN in the DN for user bob allow-distinguished-name bob CN=c2 # Allow certificate with matching value for all of attributes UID, CN and OU in the DN for user joe allow-distinguished-name joe UID=u3 CN=c3 OU=o3
You probably meant similar thing when you said "applying a pattern on the certificate subject DN "
Comment From: jakule
Any updates on this?