Package: redis-server Version: 5:6.0~rc1-1 Severity: normal Dear Maintainer,
So one of the big new features in Redis 6.x is native TLS support, which I'm pretty excited about! I tried it out with the version of this package in experimental, and it worked but did need a couple tweaks to the package build to enable TLS within the build (given in the patch at the bottom). This was the error previously when the option is specified in the config file but isn't actually allowed since it isn't compiled with TLS support (https://github.com/antirez/redis/blob/6.0-rc1/src/config.c#L2259-L2273): Feb 13 01:53:45 hostname systemd[1]: Starting Advanced key-value store... Feb 13 01:53:45 hostname redis-server[15510]: *** FATAL CONFIG FILE ERROR *** Feb 13 01:53:45 hostname redis-server[15510]: Reading the configuration file, at line 1375 Feb 13 01:53:45 hostname redis-server[15510]: >>> 'tls-port 6378' Feb 13 01:53:45 hostname redis-server[15510]: Bad directive or wrong number of arguments Feb 13 01:53:45 hostname systemd[1]: redis-server.service: Control process exited, code=exited, status=1/FAILURE Feb 13 01:53:45 hostname systemd[1]: redis-server.service: Failed with result 'exit-code'. Feb 13 01:53:45 hostname systemd[1]: Failed to start Advanced key-value store. The only config modification I did was to add "tls-port 6378" at the bottom of /etc/redis/redis.conf, to get redis to fully work I did need to add more options like tls-cert-file and tls-key-file, but just adding the port was enough to reproduce the issue. This is my patch to debian/rules to build with TLS support (adding the variable to just override_dh_auto_build didn't actually add it properly, my guess is that it's needed in multiple different targets). I also needed to add libssl-dev as a build dependency and added the --tls options and tcl-tls as per the TLS docs (https://github.com/antirez/redis/blob/6.0/TLS.md). I've also tested this manually by doing a build, making sure all the tests that are run there pass, and installing redis on a host and setting up some basic TLS configuration. I did get a few errors within the tests, but they don't all appear to be related (the TLS ones likely are though): !!! WARNING The following tests failed: *** [err]: Active defrag in tests/unit/memefficiency.tcl defrag not started. *** [err]: Active defrag big keys in tests/unit/memefficiency.tcl defrag not started. *** [err]: TLS: Verify tls-protocols behaves as expected in tests/unit/tls.tcl Expected 'I/O error reading reply' to match 'PONG' (context: type eval line 10 cmd {assert_match {PONG} $e} proc ::test) Here's my patch: diff --git a/debian/control b/debian/control index a83d91e..6eff968 100644 --- a/debian/control +++ b/debian/control @@ -8,10 +8,12 @@ Build-Depends: libhiredis-dev (>= 0.14.0), libjemalloc-dev [linux-any], liblua5.1-dev, + libssl-dev, lua-bitop-dev, lua-cjson-dev, procps <!nocheck>, tcl <!nocheck>, + tcl-tls <!nocheck>, Standards-Version: 4.4.1 Homepage: https://redis.io/ Vcs-Git: https://salsa.debian.org/lamby/pkg-redis.git diff --git a/debian/rules b/debian/rules index 1e7819d..4cbec71 100755 --- a/debian/rules +++ b/debian/rules @@ -17,6 +17,7 @@ LUA_LDFLAGS = $(addprefix -llua5.1-,$(LUA_LIBS_DEBIAN)) $(addprefix ../deps/lua/ export CFLAGS CPPFLAGS LDFLAGS export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_LDFLAGS_MAINT_APPEND = -Wl,-no-as-needed -ldl -latomic $(LUA_LDFLAGS) +export BUILD_TLS=yes ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) @@ -48,9 +49,11 @@ override_dh_auto_build: debian/lua_libs_debian.c override_dh_auto_test: ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) - # Avoid race conditions in upstream testsuite. - ./runtest --clients 1 || true - ./runtest-cluster || true + # Generate a root CA and server certificate for testing + ./utils/gen-test-certs.sh + # Avoid race conditions in upstream testsuite + ./runtest --clients 1 --tls || true + ./runtest-cluster --tls || true ./runtest-sentinel || true endif
