Describe the bug
Redis server starts up with error "Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=9)" in redis.log.
To reproduce
configuration related to SSL is as below:
port 0
tls-port 6379
tls-cert-file /d/d1/jsm/certs/redis.crt
tls-key-file /d/d1/jsm/certs/redis.key
tls-ca-cert-file /d/d1/jsm/certs/ca.crt
tls-auth-clients optional
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphers HIGH:!3DES
Expected behavior The error is unexpected.
Additional information
Not sure what I missed but same configuration in another environment is working fine.
Comment From: duj4
From output of "client list", the connection is from local and it seems local redis-cli is trying to connect to redis-server.
Comment From: hwware
Generally, the error "Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=9)" happens when one client connects to the redis server without ssl argument, I am not sure why it does not work on one environmentand it works on another environment.
Try to compile the redis server by: make BUILD_TLS=yes. and follow the steps from https://redis.io/docs/management/security/encryption/ on every seperated environment, Thanks
Comment From: duj4
hi @hwware , thanks for you reply. I installed redis 6.2.7 via yum and there is no manual build process in such case, meanwhile I configured the ssl related parameter in the configuration file. I reinstalled redis but issue kept still.
Comment From: duj4
hi @hwware , once I removed 127.0.0.1 from bind list and left local IP address only, the warning is gone. It seems there might be an unknown connection to the local server. Btw, how can I check whether the rpm is built with "BUILD_TLS=yes"?
Comment From: hwware
hi @hwware , once I removed 127.0.0.1 from bind list and left local IP address only, the warning is gone. It seems there might be an unknown connection to the local server. Btw, how can I check whether the rpm is built with "BUILD_TLS=yes"?
Sorry, I have no exerpiece on non-manual build process, so I do not know how to check whether the rpm is built with "BUILD_TLS=yes". I think it should there is a way to build by manual.
Comment From: yossigo
@duj4 If your Redis package was not built with TLS support, the tls-port configuration parameter will not be supported and you'll get an error if you try to use it.
Comment From: garry-t
Same for me with version Redis 7.2.4, Ubuntu 20.04, OpenSSL 1.1.1f. Redis build with tls support after build run test all passed. Certificates were used self signed, generated by me and also used from script ./utils/gen-test-certs.sh
Same error for sentinel and for redis.
11964:M 29 Jan 2024 19:56:28.325 # Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (addr=127.0.0.1:33968 laddr=127.0.0.1:6380)
@yossigo Whether you forgot specify in docs important settings or redis in HA mode with TLS doesnt work completely
Removing 127.0.0.1 from bind address didnt help.
redis.conf
port=0
# TLS
tls-port 6380
tcp-backlog 10000
tcp-keepalive 300
tls-auth-clients no
tls-protocols "TLSv1.2 TLSv1.3"
tls-cert-file /opt/ssl/redis.crt
tls-key-file /opt/ssl/redis.key
tls-ca-cert-file /opt/ssl/redis-ca.crt
tls-session-caching yes
tls-session-cache-size 20480
redis-cli -h 10.0.0.4 -p 6380 -a <pass> --cacert /opt/ssl/redis-ca.crt --no-auth-warning ping
I/O error
I/O error
Error: Connection reset by peer
Comment From: garry-t
Finally I was able to find all issues:
1.11964:M 29 Jan 2024 19:56:28.325 # Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (addr=127.0.0.1:33968 laddr=127.0.0.1:6380) this errors were related to consul checks was missed --tls in redis-cli command.
2. SENTINEL is not inherits TLS config from redis.conf so to make it work need to replicate in sentinel.conf configs from redis.conf
cat /opt/redis-conf/sentinel.conf
# BEGIN ANSIBLE MANAGED BLOCK
# redis-sentinel 7.2.4 configuration file
# sentinel_26380.conf
supervised no
daemonize yes
pidfile "/var/run/redis/redis-sentinel.pid"
logfile "/var/log/redis/redis-sentinel.log"
loglevel notice
dir "/opt/redis-server"
port 0
tls-port 26380
requirepass "PASS"
protected-mode no
sentinel announce-ip "IP"
tls-cert-file "/opt/ssl/redis.crt"
tls-key-file "/opt/ssl/redis.key"
tls-ca-cert-file "/opt/ssl/redis-ca.crt"
tls-auth-clients no
tls-replication yes
sentinel monitor master IP 6380 2
sentinel auth-pass master PASS
sentinel down-after-milliseconds master 5000
sentinel master-reboot-down-after-period master 5000
# END ANSIBLE MANAGED BLOCK
- redis-py connects to sentinel via TLS but function call
discover-masterrun via plain TCP. This still not resolved.