Package: redis-server
Version: 5:6.0~rc1-1
Severity: normal

Dear Maintainer,

So one of the big new features in Redis 6.x is native TLS support, which I'm
pretty excited about! I tried it out with the version of this package in
experimental, and it worked but did need a couple tweaks to the package build
to enable TLS within the build (given in the patch at the bottom).

This was the error previously when the option is specified in the config file
but isn't actually allowed since it isn't compiled with TLS support
(https://github.com/antirez/redis/blob/6.0-rc1/src/config.c#L2259-L2273):

Feb 13 01:53:45 hostname systemd[1]: Starting Advanced key-value store...
Feb 13 01:53:45 hostname redis-server[15510]: *** FATAL CONFIG FILE ERROR ***
Feb 13 01:53:45 hostname redis-server[15510]: Reading the
configuration file, at line 1375
Feb 13 01:53:45 hostname redis-server[15510]: >>> 'tls-port 6378'
Feb 13 01:53:45 hostname redis-server[15510]: Bad directive or wrong
number of arguments
Feb 13 01:53:45 hostname systemd[1]: redis-server.service: Control
process exited, code=exited, status=1/FAILURE
Feb 13 01:53:45 hostname systemd[1]: redis-server.service: Failed with
result 'exit-code'.
Feb 13 01:53:45 hostname systemd[1]: Failed to start Advanced key-value store.

The only config modification I did was to add "tls-port 6378" at the bottom of
/etc/redis/redis.conf, to get redis to fully work I did need to add more
options like tls-cert-file and tls-key-file, but just adding the port was
enough to reproduce the issue.

This is my patch to debian/rules to build with TLS support (adding the variable
to just override_dh_auto_build didn't actually add it properly, my guess is
that it's needed in multiple different targets). I also needed to add
libssl-dev as a build dependency and added the --tls options and tcl-tls as per
the TLS docs (https://github.com/antirez/redis/blob/6.0/TLS.md). I've
also tested this manually by doing a build, making sure all the tests
that are run there pass, and installing redis on a host and setting up
some basic TLS configuration. I did get a few errors within the tests,
but they don't all appear to be related (the TLS ones likely are though):

!!! WARNING The following tests failed:

*** [err]: Active defrag in tests/unit/memefficiency.tcl
defrag not started.
*** [err]: Active defrag big keys in tests/unit/memefficiency.tcl
defrag not started.
*** [err]: TLS: Verify tls-protocols behaves as expected in tests/unit/tls.tcl
Expected 'I/O error reading reply' to match 'PONG' (context: type eval
line 10 cmd {assert_match {PONG} $e} proc ::test)

Here's my patch:

diff --git a/debian/control b/debian/control
index a83d91e..6eff968 100644
--- a/debian/control
+++ b/debian/control
@@ -8,10 +8,12 @@ Build-Depends:
  libhiredis-dev (>= 0.14.0),
  libjemalloc-dev [linux-any],
  liblua5.1-dev,
+ libssl-dev,
  lua-bitop-dev,
  lua-cjson-dev,
  procps <!nocheck>,
  tcl <!nocheck>,
+ tcl-tls <!nocheck>,
 Standards-Version: 4.4.1
 Homepage: https://redis.io/
 Vcs-Git: https://salsa.debian.org/lamby/pkg-redis.git
diff --git a/debian/rules b/debian/rules
index 1e7819d..4cbec71 100755
--- a/debian/rules
+++ b/debian/rules
@@ -17,6 +17,7 @@ LUA_LDFLAGS = $(addprefix
-llua5.1-,$(LUA_LIBS_DEBIAN)) $(addprefix ../deps/lua/
 export CFLAGS CPPFLAGS LDFLAGS
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 export DEB_LDFLAGS_MAINT_APPEND = -Wl,-no-as-needed -ldl -latomic
$(LUA_LDFLAGS)
+export BUILD_TLS=yes

 ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
        NUMJOBS = $(patsubst parallel=%,%,$(filter
parallel=%,$(DEB_BUILD_OPTIONS)))
@@ -48,9 +49,11 @@ override_dh_auto_build: debian/lua_libs_debian.c

 override_dh_auto_test:
 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
-       # Avoid race conditions in upstream testsuite.
-       ./runtest --clients 1 || true
-       ./runtest-cluster || true
+       # Generate a root CA and server certificate for testing
+       ./utils/gen-test-certs.sh
+       # Avoid race conditions in upstream testsuite
+       ./runtest --clients 1 --tls || true
+       ./runtest-cluster --tls || true
        ./runtest-sentinel || true
 endif

Reply via email to