Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Make it easier to use user certificate files #2873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 15, 2025
Merged

Make it easier to use user certificate files #2873

merged 3 commits into from
Apr 15, 2025

Conversation

mgravell
Copy link
Collaborator

@mgravell mgravell commented Apr 12, 2025
edited
Loading

Historically, certs only worked with PFX files, which made it a pain to work with the cert pairs typically downloaded from hosts like Redis Ltd; however, on more recent .NET versions PEM is fully available. Here, we:

  • add new methods on ConfigurationOptions (akin to the existing TrustIssuer method) to configure certificates from files
  • support PEM in the ambient setup

There are no tests added here, due to the inherent problems of CI talking to such servers; however:

 var options = ConfigurationOptions.Parse("redis-redacted.redislabs.com:4242"); // port also redacted
 options.TrustIssuer(@"C:\Code\RedisKeys\redis_ca.pem");
 options.SetUserPemCertificate(@"C:\Code\RedisKeys\redis-redacted.crt", @"C:\Code\RedisKeys\redis-redacted.key");
 using var conn = await ConnectionMultiplexer.ConnectAsync(options);
 for (int i = 0; i < 10; i++)
 {
     var ttl = await conn.GetDatabase().PingAsync();
     Console.WriteLine(ttl);
 }

works with the files downloaded from my hosted Redis Ltd endpoint:

image

To @philon-msft : open question: can we check Azure Redis with similar?

^^^ update: Philo assures me that Azure Redis doesn't have any relevant client-cert scenarios to consider

@mgravell
Copy link
Collaborator Author

In particular: contrast this to the recommended approach currently on my hosted Redis Ltd instance:

 configurationOptions.CertificateSelection += delegate
        {
            return new X509Certificate2(
                "<path_to_redis.pfx_file>",
                "<pfx_file_password>"
            );
        };

Which a: requires additional manual steps to export the pem/key file to pfx, which isn't trivial, and b: is more additional work. Sure: if you want more control, it is great to have the full options, but most people will just have the file pair.

@mgravell
Copy link
Collaborator Author

also /cc @atakavci to a: see if there's any feedback from the Redis side, and b: (future, obvs) see if we can get updating the cloud console updated to suggest this approach.

NickCraver
NickCraver approved these changes Apr 15, 2025
View reviewed changes
Copy link
Collaborator

@NickCraver NickCraver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One quick comment - TODOs: get test server setup and docs here as follow-ups

src/StackExchange.Redis/PhysicalConnection.cs Outdated
if (!string.IsNullOrEmpty(pfxStorageFlags))
{
var tmp = Enum.Parse(typeof(X509KeyStorageFlags), pfxStorageFlags) as X509KeyStorageFlags?;
if (tmp is not null) storageFlags = tmp.GetValueOrDefault();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could use .TryParse a bit simpler here

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done: 7a9208f

@mgravell
- release notes
7a9208f 
- use Enum.TryParse for the X509 flags
@mgravell mgravell merged commit 328b4b5 into main Apr 15, 2025
5 of 8 checks passed
@mgravell mgravell deleted the user-cert branch April 15, 2025 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NickCraver NickCraver NickCraver approved these changes

@philon-msft philon-msft Awaiting requested review from philon-msft

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mgravell @NickCraver