In a gossip message every node in cluster would send its own network information, including:
typedef struct {
// ...
uint16_t port; /* TCP base port number. */
uint16_t pport; /* Sender TCP plaintext port, if base port is TLS */
uint16_t cport; /* Sender TCP cluster bus port */
// ...
} clusterMsg;
However, if nodes in cluster has enabled TLS connection for clients but not for cluster bus (server.tls_cluster set to 0), one node will not have the TLS ports of other nodes.
/* Derives our ports to be announced in the cluster bus. */
void deriveAnnouncedPorts(int *announced_port, int *announced_pport, int *announced_cport) {
int port = server.tls_cluster ? server.tls_port : server.port;
/* Default announced ports. */
*announced_port = port;
*announced_pport = server.tls_cluster ? server.port : 0;
*announced_cport = server.cluster_port ? server.cluster_port : port + CLUSTER_PORT_INCR;
//...
}
So when CLUSTER NODES is received or a MOVED error happens, the node cannot return correct port information to the client.
Currently to solve this, we have to use TLS in cluster bus if we want to provide TLS service for clients.
However, inner communication should not be coupled with external service.
I think we can decouple the use of TLS in cluster bus and in client connection, by adding a tls_port in gossip header, which is set when TLS is enabled for client connection, repalcing the pport, so that complete network information is propagated through gossip. And the server should return either TCP or TLS port judging by which layer of protocol the client is using to connect, not by whether TLS is used in cluster bus.
Also TLS port should be added to nodes.conf file, and the return of CLUSTER NODES command, to persist and display complete cluster infomation,
Comment From: murphyjacob4
Duplicate of #12006
Comment From: soloestoy
It's a long story around TLS and cluster, TLS is originally implemented in #6236 , and initially in cluster mode, when tls-cluster is enabled, Redis can only return the TLS port to the user.
Then @zuiderkwast raised the problem in #8134 and fixed it in #8587 , but not completed (see the summary https://github.com/redis/redis/pull/8587#pullrequestreview-611665417), we leaved the issue (serve TLS ports to TLS clients in a non-TLS cluster, meaning a cluster with a non-TLS cluster bus) to be solved in future.
@redis/core-team @zuiderkwast I think it's the time to complete the remaining work now.
Comment From: madolson
This does seem like a duplicate of #12006, I'm not sure if there anything that this issues adds in addition. I'll post my suggestion here:
Starting in Redis 8, I think we need consume two additional flags from mflags, one that indicates the new schema and one that indicates whether or not the primary port is TLS or not. We need it to be backwards compatible so we can gracefully upgrade to between 7 and 8, so we can't change the format.
Also TLS port should be added to routing table, to persist complete cluster infomation.
Do you mean the nodes.conf file? I agree, it should be there. I still think it's a gap that it is not.
Comment From: CharlesChen888
@madolson
Do you mean the redis.conf file?
I mean the nodes.conf file, and what CLUSTER NODES returns. And I agree your suggestion.
Comment From: madolson
I mean the nodes.conf file, and what CLUSTER NODES returns. And I agree your suggestion.
Ack, that makes a lot more sense.