When connecting to a Tair instance through a client, you can enable the SSL encryption feature to improve data security and ensure data integrity. You can connect to a Tair instance using clients from different programming languages supported by theThreeProtocol. This topic describes example code for common programming languages.
requirements
SSL encryption is enabled for your Tair instance. For more information, seeConfigure SSL Encryption.
Precautions
- By default, clustered or split read/write instances run in proxy mode. In this mode, you can connect to aThreeInstance using the endpoint of a proxy node on the instance in the same way you connect a standard Tair instance. For more information about clustering and read/write split instances, seecluster architectureySplit read/write architecture.
UseIf you use a private endpoint to connect to a cluster instance, you can connect to the instance the same way you connect to an open source Redis cluster. For more information about private endpoints, seeEnable direct connection mode.
(Video) Configuring VTScada Thin Client Connections with SSL/TLS - When passwordless access is enabled for a Tair instance deployed in a VPC, a client in the same VPC as the instance can connect to the instance without using passwords. For more information, seeEnable passwordless access.
preparations
- Perform the following operations depending on the type of host a client is deployed on.
host Operation ECS instance(recommended) - Make sure that the Elastic Compute Service (ECS) instance and theThreeThe instances are deployed in the same virtual private cloud (VPC). The instances' basic information sections must show the same VPC ID. If the instances are deployed in different VPCs, you can change the VPC that the ECS instance belongs to. For more information, seeChanging the VPC of an ECS instance.
- Get the internal IP address of the ECS instance. For more information, seeNetwork FAQ.
- Add the internal IP address of the ECS instance to a whitelistThreeExample. For more information, seeStep 2: Configure whitelists.
local device - By default, only internal endpoints are availableThreeinstances. If you want to connect to a Tair instance over the internet, you must request a public endpoint. For more information, seeRequest a public endpoint for a Tair instance.
- execute thoseipinfo.io subscription | ip grepCommand on your local device to get your public IP address. The following figure shows an example of command output.
UseIf your local device is running a Windows OS, visitinfoipto get the public IP address.
- Add your local device's public IP address to a whitelist ofThreeExample. For more information, seeStep 2: Configure whitelists.
- Gather the following information and use it in client code for various programming languages.
Training Description instance endpoint ThreeInstances support multiple types of endpoints. We recommend using VPC to improve security and reduce network latency. For more information, seeView endpoints and port numbers. port number The default port number is 6379. You can also use a custom port number. For more information, seeChange the endpoint or port of a Tair instance. Instance account (optional for certain customers) By default, oneThreeThe instance has a database account named after the instance ID. Example: r-bp10noxlhcoim2****. You can create another database account and grant the necessary permissions to the account. For more information, seeCreate and manage database accounts. clave The password format varies depending on the selected account:
- If you are using the default account whose username is the same as the instance ID, enter the password.
- If you are using a custom account, the password format must be
<user>:<password>🇧🇷 A password in this format can also be used to log into a standard account. For example, if the custom account username istest accountand the password isRp829dlwa, you must entertest account: Rp829dlwaas database password.
Use
- If you use a management tool like Redis Desktop Manager (RDM) to connect toThreeFor example, enter a password in the form of
<user>:<password>. - If you forgot your password, please reset it. For more information, seeChange or reset password.
- Download the Certificate Authority (CA) certificate. For more information, seeConfigure SSL Encryption.
Java
The following sample code uses the Jedis 3.6.0 client. We recommend using the latest version of the client. For more information visitGitHub.
UseYou need to change your code based on comments. Learn how to get the endpoint, port number and password of aThreeexample, seestep 2from the Preparations section.
importar java.io.FileInputStream; importar java.io.InputStream; import java.security.KeyStore; import java.security.SecureRandom; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; importar javax.net .ssl.TrustManager;importar javax.net.ssl.TrustManagerFactory;importar org.apache.commons.pool2.impl.GenericObjectPoolConfig;importar redis.clients.jedis.Jedis;importar redis.clients.jedis.JedisPool;öffentliche Classe JedisSSLTest { private static SSLSocketFactory createTrustStoreSSLSocketFactory(String jksFile) por trás de { KeyStore trustStore = KeyStore.getInstance("jks"); Corrente de entrada Corrente de entrada = nulo; prueba { inputStream = new FileInputStream(jksFile); trustStore.load (inputStream, nulo); } endlich { inputStream.close(); } TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX"); trustManagerFactory.init (tienda de confiança); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustManagers, new SecureRandom()); Rückgabe sslContext.getSocketFactory(); } public static void main(String[] args) throws Exception { // ApsaraDB-CA-Chain.jks ist der Name des CA-Zertifikats. final SSLSocketFactory sslSocketFactory = createTrustStoreSSLSocketFactory("ApsaraDB-CA-Chain.jks"); // Der Endpunkt, die Portnummer, das Zeitlimit und das Kennwort der Instanz sind in den Konfigurationen eines Verbindungspools enthalten. Piscina JedisPool = new JedisPool(new GenericObjectPoolConfig(), "r-bp1zxszhcgatnx****.redis.rds.aliyuncs.com", 6379, 2000, "redistest:Test1234", 0, true, sslSocketFactory, nulo, nulo); prueba (Jedis jedis = pool.getResource()) {jedis.set("clave", "valor"); System.out.println (jedis.get ("Schlüssel")); } }}Python
The following sample code uses the redis-py client. We recommend using the latest version of the client. For more information visitGitHub.
UseYou need to change your code based on comments. Learn how to get the endpoint, port number and password of aThreeexample, seestep 2from the Preparations section.
#!/bin/pythonimport redis# Provide connection information. Replace the host, port, and password values with your instance's endpoint, port number, and password. # ApsaraDB-CA-Chain.pem is the name of the CA certificate. ****.redis.rds.aliyuncs.com", port=6379, password="redistest:Test1234", ssl=True, ssl_cert_reqs="required", ssl_ca_certs="ApsaraDB-CA-Chain.pem")client. set("Hello", "World") print client.get("Hello") #!/bin/pythonimport redis# Specify a connection pool. Replace the host, port, and password values with the instance endpoint, port number, and password.# ApsaraDB-CA-Chain.pem is the certificate name CA.pool = redis.ConnectionPool(connection_class=redis .connection . SSLConnection, max_connections =100, host="r-bp1zxszhcgatnx****.redis.rds.aliyuncs.com", port=6379, password="redistest:Test1234", ssl_cert_reqs=True, ssl_ca_certs="ApsaraDB CA Chain .pem ")client = redis.Redis(group_connection=group)customer.set("hello", "redis")print customer.get("hello") PHP
The following sample code uses the Predis client. We recommend using the latest version of the client. For more information visitGitHub🇧🇷 If you are using PhpRedis client then you can reference itSSL/TLS with certificate fileto connect to an instance. For more information about PhpRedis, seeGitHub.
UseYou need to change your code based on comments. Learn how to get the endpoint, port number and password of aThreeexample, seestep 2from the Preparations section.
<?phprequire __DIR__.'/predis/autoload.php';/* Specify connection information. Replace the host, port, and password values with the instance's endpoint, port number, and password, respectively. ApsaraDB-CA-Chain.pem is the name of the CA certificate file. */$client = new Predis\Client([ 'schema' => 'tls', 'host' => 'r-bp1zxszhcgatnx****.redis.rds.aliyuncs.com', 'port' => 6379, 'password' => 'reditest:Test1234', 'ssl' => ['cafile' => 'ApsaraDB-CA-Chain.pem', 'verify_peer' => true],]);/* Replace the period and the port number in the following code example. *///$client = new Predis\Client('tls://r-bp1zxszhcgatnx****.redis.rds.aliyuncs.com:6379?ssl[cafile]=ApsaraDB-CA-Chain.pem&ssl[verify_peer] =1');$customer->set("hello", "world");print $customer->get("hello")."\n";?>C #
The following sample code uses the StackExchange.Redis client. We recommend using the latest version of the client. For more information visitGitHub.
UseYou need to change your code based on comments. Learn how to get the endpoint, port number and password of aThreeexample, seestep 2from the Preparations section.
using System.Net.Security; using System.Security.Cryptography.X509Certificates; ("/your path/ApsaraDB-CA-Chain/ApsaraDB-CA-Chain.pem"); return chain.ChainElements .Cast<X509ChainElement>() .Any(x => x.Certificate.Thumbprint == ca.Thumbprint); } static void Main(string[] args) { // Provide connection information. Replace the host, port, and password values with the instance's endpoint, port number, and password, respectively. // ApsaraDB-CA-Chain.pem is the name of the CA certificate file. ConfigurationOptions config = new ConfigurationOptions() { EndPoints = {"r-bp10q23zyfriodu*****.redis.rds.aliyuncs.com:6379"}, Password = "redistest:Test1234", SSL = true, }; config.CertificateValidation += CheckServerCertificate; using (var conn = ConnectionMultiplexer.Connect(config)) { Console.WriteLine("connected"); var db = connection.GetDatabase(); db.StringSet("Hello", "World"); Console.WriteLine(db.StringGet("Hello")); 🇧🇷FAQs
How do the client and server establish an SSL connection? ›
- The client sends a request to the server for a secure session. ...
- The client receives the server's X. ...
- The client authenticates the server, using a list of known certificate authorities.
- The client generates a random symmetric key and encrypts it using server's public key.
SSL works by authenticating clients and servers using digital certificates and by encrypting/decrypting communication using unique keys that are associated with authenticated clients and servers. An entity's identity is established using a digital certificate and public and private encryption keys.
What types of attacks can be prevented using SSL between the client and the server? ›- Poodle Attack: In the POODLE (Padding Oracle on Downgraded Legacy Encryption) attack, a vulnerability (CVE-2014-3566) is exploited to eavesdrop on communications encrypted with SSLv3. ...
- Freak Attack: ...
- Logjam Attack: ...
- BEAST Attack: ...
- CRIME Attack: ...
- BREACH Attack: ...
- HEARTBLEED Attack:
SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details.
What is difference between SSL connection and SSL session? ›The SSL server accepts the connection from the client and sends a connection request to the application server. The SSL session is maintained as two separate connections: the connection from the remote client to the SSL server, and the connection from the SSL server to the application server.
How client generate SSL certificate from server certificate? ›- Launch The Key Manager And Generate The Client Certificate. Go to Keys > Client Keys tab and then click the Generate button. ...
- Enter Client Certificate Details. Fill up the fields in the Generate Client Key dialog. ...
- Export The Client Certificate. ...
- Check Out Your Newly Created Client Certificate.
Why you need an SSL certificate. Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.
What is the difference between client certificate and server certificate? ›Client certificates tend to be used within private organizations to authenticate requests to remote servers. Whereas server certificates are more commonly known as TLS/SSL certificates and are used to protect servers and web domains.
What are the 3 types of SSL certificates? ›- Extended Validation (EV)
- Organization Validation (OV)
- Domain Validation (DV)
Clear your Browser's Cache and Cookies
The SSL info of a website in your browser's cache and cookies might have expired, so if you clear both records, it could fix the issue for you.
Does SSL stop hackers? ›
SSL protects you from skimmers and hackers by encrypting your data, which is one of the main functions it performs. Once data is encrypted, only an authorized party, the server or browser, can decrypt the data. This is mostly used in credit card transactions, IDs, passwords, etc.
Which of the following attacks does SSL protect against? ›SSL generally prevents man-in-the-middle (MITM) attacks. During an attempt at a MITM attack, a hacker tries to intercept your data stream.
How do I get SSL encryption? ›- Verify your website's information through ICANN Lookup.
- Generate the Certificate Signing Request (CSR).
- Submit your CSR to the Certificate authority to validate your domain.
- Install the certificate on your website.
There are several known vulnerabilities in the SSL protocol, and security experts recommend discontinuing its use. In fact, most modern web browsers no longer support SSL at all.
Is SSL encryption important? ›SSL is essential for protecting your website, even if it doesn't handle sensitive information like credit cards. It provides privacy, critical security and data integrity for both your websites and your users' personal information.
How does SSL connection work? ›The web server sends the browser/server a copy of its SSL certificate. The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server. The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.
What is the purpose of SSL? ›An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured website, the SSL certificate enables an encrypted connection. It's kind of like sealing a letter in an envelope before sending it through the mail.
What is the main advantage of SSL? ›An SSL certificate encrypts the information so that it's not readable until it reaches the server that it's intended for. No one can intercept and read the information as it travels from your computer to the web servers. This is one of the primary reasons that website owners get an SSL certificate.
How do I add client authentication to a certificate? ›On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then select Client Certificate Mapping Authentication, and then click OK.
What is SSL client certificate? ›SSL ensures that the administrator has the CA signer certificate available that is used to sign the personal certificate, and that it is stored in both the client and or the server trusted store. SSL client certificate authentication takes place during the connection handshake by using SSL certificates.
What does enable SSL in your client mean? ›
You simply have to visit a website with SSL, and voila — your connection will automatically be secured. An SSL is security technology. It's a protocol for servers and web browsers that makes sure that data passed between the two are private. This is done using an encrypted link that connects the server and browser.
What is required for SSL connection? ›To set up SSL on your server, you need a key ring containing a server certificate from an Internet certificate authority. The SSL protocol always provides an encrypted, integrity-checked, communications channel and authenticated server identity.
Who will provide SSL certificate? ›SSL certificates are issued by Certificate Authorities (CAs), organizations that are trusted to verify the identity and legitimacy of any entity requesting a certificate.
Can I use same certificate for server and client? ›It's technically possible for a TLS certificate to be used as both a server certificate and a client certificate. The TLS certificate for this very site has its key usage set that way, for instance. But the server which requires a client certificate does so to authenticate the client.
How do you authenticate a client? ›The server authenticates the client by receiving the client's certificate during the SSL handshake and verifying the certificate is valid. Validation is done by the server the same way the client validates the server's certificate. The client sends a signed certificate to the server.
Can a server certificate be used as a client certificate? ›Cryptographically, you can use either as the actual client side identity of an SSL connection, but the other side (the server on that particular connection) has to accept the certificate; most people don't put the Distinguished Name of servers into the database of acceptable identities.
What type of encryption is SSL? ›SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session between a client and a server, and symmetric encryption is used to exchange data within the secured session.
What is an example of SSL? ›SSL provides a secure channel between two machines or devices operating over the internet or an internal network. One common example is when SSL is used to secure communication between a web browser and a web server. This turns a website's address from HTTP to HTTPS, the 'S' standing for 'secure'.
What is SSL certificate with example? ›Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).
How do I bypass SSL connection error? ›- Diagnose the problem with an online tool.
- Install an intermediate certificate on your web server.
- Generate a new Certificate Signing Request.
- Upgrade to a dedicated IP address.
- Get a wildcard SSL certificate.
- Change all URLS to HTTPS.
- Renew your SSL certificate.
How do I fix a SSL certificate issue? ›
- Make sure you have SSL installed.
- Reinstall the SSL.
- Diagnose the problem with a web SSL checker.
- Renew your SSL certificate.
- Change all URLs to HTTPS.
- Update your browser or OS version.
- Install an intermediate certificate.
- Generate a new Certificate Signing Request.
- Run the following command to exit from the MySQL database: exit.
- Log in to the MySQL database as user root. Add the following parameters at the end of the login command: --ssl-mode=DISABLED. ...
- Run the following command to check the connection mode of the MySQL database: \s.
Attack Vectors
Part of the reason to use an SSL certificate is to uniquely authenticate yourself to the clients connecting to your server. If the private key is stolen, a hacker can create a Man-In-the-Middle attack where data flowing either from the server-to-client or client-to-server is modified in-transit.
If you lose your private key, you will be unable to install your SSL certificate and will need to generate a new key pair (CSR + Private Key) and re-issue the certificate.
Has SSL ever been hacked? ›Let's answer this question right off the bat: it's unlikely. Though not impossible, the chances of an SSL certificate itself being hacked is incredibly slim. However, just because you have an SSL installed, that doesn't mean your website isn't vulnerable in other areas.
What are the vulnerabilities of SSL? ›What's the issue? Heartbleed bug is a vulnerability in the OpenSSL, a popular open source cryptographic library that helps in the implementation of SSL and TLS protocols. This bug allows attackers to steal private keys attached to SSL certificates, usernames, passwords and other sensitive data without leaving a trace.
What is the risk of SSL? ›Risks: Clients cannot know if they are connected to a legitimate site or not. In some cases, the SSL inspection software does perform validation of upstream certificates, but it does not relay the results of the validation to the client. Risks: Clients cannot know if they are connected to a legitimate site or not.
What is the difference between SSL and encryption? ›SSL is a protocol that defines how the data sent from a server is encrypted and decrypted on the client-side. This encryption method has been replaced by the more modern and secure Transport Layer Security (TLS), however, the term SSL is still used for the encryption protocol.
How do I enable SSL mode? ›- Locate your Apache configuration file and open with a text editor. The name of your Apache configuration file depends on your system platform. ...
- Verify or update Apache's SSL configuration file and save. Open your Apache SSL configuration file, httpd-ssl. ...
- Restart the Apache Web Server. Linux OS.
- Create a Certificate Signing Request (CSR) and request your SSL certificate.
- Install your SSL certificate.
- Assign the SSL certificate to your IIS deployment.
Is SSL the same as VPN? ›
A Secure Sockets Layer Virtual Private Network (SSL VPN) is a virtual private network (VPN) created using the Secure Sockets Layer (SSL) protocol to create a secure and encrypted connection over a less-secure network, such as the Internet.
Is SSL as secure as VPN? ›A VPN and HTTPS both have the capability to encrypt your data, but a VPN just so happens to encrypt more. HTTPS encryption only works between browsers and servers, and that's only if it's enabled. A VPN, however, encrypts all data that passes through the VPN connection, no matter if certain settings are enabled or not.
What is the difference between HTTPS and SSL? ›HTTPS is the secured version of HTTP protocol that is used by the browser for communication. It uses SSL/TLS for delivering the encrypted data. On the other hand, SSL is an encryption protocol that is used to encrypt data.
Is secure SSL encryption safe? ›SSL encrypts sensitive details such as login credentials, social security numbers, and bank information so that unauthorized users cannot interpret and use the data, even if they see it. The lock icon users see on SSL-secured websites and the “https” address indicate that a secure connection is present.
Should I enable encryption? ›Device encryption is a feature intended to protect your data. It should be enabled, but you should use it with caution. You should make sure you have your recovery key in case you need it, and you should have a backup of your files in case you lose access to the device.
How does a client computer establish a connection to a server? ›Clients typically communicate with servers by using the TCP/IP protocol suite. TCP is a connection-oriented protocol, which means a connection is established and maintained until the application programs at each end have finished exchanging messages.
How does a client server connection work? ›Clients, taking the form of laptops, desktops, tablets, or smartphones, then request a file or application from the remote server. The server hears the request, verifies credentials, and if everything checks out, serves the client the requested file. The communication between clients and servers is a two way street.
What is client SSL and server SSL? ›Client certificates tend to be used within private organizations to authenticate requests to remote servers. Whereas server certificates are more commonly known as TLS/SSL certificates and are used to protect servers and web domains.
How do I connect to a server from a client? ›- Log on to the computer that you want to connect to the server. ...
- Open an Internet browser, such as Internet Explorer.
- The Connect your computer to the server page appears. ...
- In the file download security warning message, click Run.
Related. Network technologies allow two or more computers to connect with each other. The most common of these technologies include Local Area Network (LAN), Wireless Area Network (WAN), the Internet via client servers and Bluetooth.
How do you create a connection with a client? ›
- Don't use a one-size-fits-all approach. ...
- Respond to concerns. ...
- Go above and beyond. ...
- Follow up. ...
- Keep it personal, not transactional. ...
- Focus on face-to-face interactions.
Enforce SSL connections
From the Computer Management console, right-click the Web site on which you want to enforce SSL and select Properties. Select the Web Site tab. In the Web Site Identification section, verify that the SSL Port field is populated with the numeric value 443.
...
and the client needs:
- The personal certificate issued to the client by CA X.
- The client's private key.
- The CA certificate for CA Y.
Types of Client Server Communication are: HTTP Push and Pull. Ajax Polling. Long Polling.
What is an example of client-server connection? ›Some familiar examples of a client server system on the internet are file transfer protocol clients (FTPs), Web servers, Web browsers and DNS.
What are the two types of client-server? ›- 1-tier architecture. In this category of client server architecture, the architecture contains all kinds of settings, such as configuration setting and marketing logic, on a single device. ...
- 2-tier architecture. ...
- 3-tier architecture. ...
- N-tier architecture.
Generally, most web servers running HTTPS do not require the client to have a certificate. If the server requires the client to authenticate, this is often done through credentials (e.g. username and password).
What is SSL and why do I need it? ›SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. Companies and organizations need to add SSL certificates to their websites to secure online transactions and keep customer information private and secure.