3

我有一个 Redis 集群,我希望在该集群上设置stunnel,以加密进出每个主/从,以及进出 redis 上方的 HAproxy 层的流量。我已经使用以下配置文件配置了 stunnel:

pid=/var/stunnel-redis.pid
foreground = yes
debug = info
output = stunnel.log

sslVersion = all
#options = NO_SSLv2
fips = no

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[redis-server]
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/key.pem
TIMEOUTclose = 0
accept = 0.0.0.0:7001
connect = 127.0.0.1:7002


[redis-client]
client = yes
accept = 127.0.0.1:7002
connect = 127.0.0.1:6379
CAfile = /etc/stunnel/redis.pem
verify = 0

编辑我应该解释每个服务是如何设置的,网络方面的。

redis-server绑定 127.0.0.1:6379

stunnel redis-server绑定 0.0.0.0:7001

stunnel redis-client绑定 127.0.0.1:7002

redis 客户端连接将连接到 0.0.0.0:7001 上的 stunnel 的 redis-server。然后stunnel会连接到127.0.0.1:7002上的redis-client,stunnel的redis-client会连接到127.0.0.1:6379上的redis服务器。

尝试运行时,redis-cli -h my_remote_stunnel_ip -p 7001我在日志中收到以下错误:

2017.01.31 09:45:11 LOG3[16062]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017.01.31 09:45:11 LOG5[16062]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

我尝试禁用redis-client配置中的部分,我尝试更改sslVersionsslVersion = TLSv1, sslVersion = TLSv1.2。当我更改sslVersionsslVersion = TLSv1尝试连接时收到以下错误:

2017.01.31 09:38:33 LOG3[15830]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

这是因为版本不匹配吗?如果是这样,怎么办?两个守护进程都在同一主机上运行。

编辑: openssl s_client -connect :7001 -tls1 的输出:

No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2452 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 0A05C63AA7596D37B4D18B5CF377213A0B245B681E3E1CD28506E877311A862A
    Session-ID-ctx: 
    Master-Key: 54EE658224A3BB08E25416F05CBCAB5D58EA075E7C157AEE31B94D2AA289CE694558CDF27B3EA0B8FB90738C3EEE4EE8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 12 55 cd c7 bc ab e8 6c-c7 e7 ca 9c 05 bf 5b dd   .U.....l......[.
    0010 - bb 17 b9 d5 68 e0 be 54-a1 b6 06 00 0a fe db 17   ....h..T........
    0020 - 4a 89 93 6b 95 18 1e be-45 f9 cb a8 6c 07 5b 45   J..k....E...l.[E
    0030 - ef 47 60 b7 0d 7e 51 95-ca 68 48 5f 03 5b d9 0e   .G`..~Q..hH_.[..
    0040 - 62 0b f5 33 bb b6 ce 03-6d d7 d3 69 12 de 3a 63   b..3....m..i..:c
    0050 - db 8d 98 ba ac e6 e1 f8-9a f1 b1 50 5e 63 1a 24   ...........P^c.$
    0060 - 9c ad 1d a8 ef 85 9d 64-9a 00 d7 76 b3 77 73 05   .......d...v.ws.
    0070 - dc 04 94 ae c3 c7 89 3e-26 c1 25 d7 a7 f2 45 97   .......>&.%...E.
    0080 - f8 2d e9 21 cc 7c 44 e2-a8 3d 93 00 e5 09 d0 38   .-.!.|D..=.....8
    0090 - 53 4f 22 fd 75 52 37 f8-3d c5 0e 22 5a 55 b4 8b   SO".uR7.=.."ZU..

    Start Time: 1485881728
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
read:errno=104
4

0 回答 0