From 1a6eb388f2f6b6098a451119ab607bb1e44430f5 Mon Sep 17 00:00:00 2001 From: Ruben Perez Date: Tue, 17 Feb 2026 14:47:44 +0100 Subject: [PATCH 1/5] Initial impl --- .github/workflows/ci.yml | 4 +++ test/test_conn_tls.cpp | 48 +++++++++++++++++------------------- tools/docker-compose.yml | 49 +++++++++++++++++++------------------ tools/docker/tls/ca.crt | 21 ---------------- tools/docker/tls/ca.key | 28 --------------------- tools/docker/tls/server.crt | 19 -------------- tools/docker/tls/server.key | 28 --------------------- tools/gen-certificates.sh | 8 +++++- 8 files changed, 58 insertions(+), 147 deletions(-) delete mode 100644 tools/docker/tls/ca.crt delete mode 100644 tools/docker/tls/ca.key delete mode 100644 tools/docker/tls/server.crt delete mode 100644 tools/docker/tls/server.key diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 34af5e4a5..14d5b4210 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -233,6 +233,10 @@ jobs: - name: Checkout uses: actions/checkout@v4 + - name: Generate TLS certificates + run: | + ./tools/gen-certificates.sh + - name: Set up the required containers run: | BUILDER_IMAGE=${{ matrix.container }} SERVER_IMAGE=${{ matrix.server }} docker compose -f tools/docker-compose.yml up -d --wait || (docker compose logs; exit 1) diff --git a/test/test_conn_tls.cpp b/test/test_conn_tls.cpp index 8989e2e33..14dcef21b 100644 --- a/test/test_conn_tls.cpp +++ b/test/test_conn_tls.cpp @@ -10,8 +10,12 @@ #include #include #include +#include +#include #include +#include +#include #include #define BOOST_TEST_MODULE conn_tls #include @@ -25,37 +29,28 @@ using boost::system::error_code; namespace { -// CA certificate that signed the test server's certificate. -// This is a self-signed CA created for testing purposes. -// This must match tools/tls/ca.crt contents -static constexpr const char* ca_certificate = R"%(-----BEGIN CERTIFICATE----- -MIIDhzCCAm+gAwIBAgIUZGttu4o/Exs08EHCneeD3gHw7KkwDQYJKoZIhvcNAQEL -BQAwUjELMAkGA1UEBhMCRVMxGjAYBgNVBAoMEUJvb3N0LlJlZGlzIENJIENBMQsw -CQYDVQQLDAJJVDEaMBgGA1UEAwwRYm9vc3QtcmVkaXMtY2ktY2EwIBcNMjUwNjA3 -MTI0NzUwWhgPMjA4MDAzMTAxMjQ3NTBaMFIxCzAJBgNVBAYTAkVTMRowGAYDVQQK -DBFCb29zdC5SZWRpcyBDSSBDQTELMAkGA1UECwwCSVQxGjAYBgNVBAMMEWJvb3N0 -LXJlZGlzLWNpLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7XV -sOoHB2J/5VtyJmMOzxhBbHKyQgW1YnMvYIb1JqIm7VuICA831SUw76n3j8mIK3zz -FfK2eYyUWf4Uo2j3uxmXDyjujqzIaUJNLcB53CQXkmIbqDigNhzUTPZ5A2MQ7xT+ -t1eDbjsZ7XIM+aTShgtrpyxiccsgPJ3/XXme2RrqKeNvYsTYY6pquWZdyLOg/LOH -IeSJyL1/eQDRu/GsZjnR8UOE6uHfbjrLWls7Tifj/1IueVYCEhQZpJSWS8aUMLBZ -fi+t9YMCCK4DGy+6QlznGgVqdFFbTUt2C7tzqz+iF5dxJ8ogKMUPEeFrWiZpozoS -t60jV8fKwdXz854jLQIDAQABo1MwUTAdBgNVHQ4EFgQU2SoWvvZUW8JiDXtyuXZK -deaYYBswHwYDVR0jBBgwFoAU2SoWvvZUW8JiDXtyuXZKdeaYYBswDwYDVR0TAQH/ -BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAqY4hGcdCFFPL4zveSDhR9H/akjae -uXbpo/9sHZd8e3Y4BtD8K05xa3417H9u5+S2XtyLQg5MON6J2LZueQEtE3wiR3ja -QIWbizqp8W54O5hTLQs6U/mWggfuL2R/HUw7ab4M8JobwHNEMK/WKZW71z0So/kk -W3wC0+1RH2PjMOZrCIflsD7EXYKIIr9afypAbhCQmCfu/GELuNx+LmaPi5JP4TTE -tDdhzWL04JLcZnA0uXb2Mren1AR9yKYH2I5tg5kQ3Bn/6v9+JiUhiejP3Vcbw84D -yFwRzN54bLanrJNILJhHPwnNIABXOtGUV05SZbYazJpiMst1a6eqDZhv/Q== ------END CERTIFICATE-----)%"; +// Loads the CA certificate that signed the certificate used by the server. +// Should be in /tmp/ +std::string load_ca_certificate() +{ + constexpr const char* ca_path = "/tmp/boost-redis-tls/ca.crt"; + std::ifstream f(ca_path); + if (!f) { + throw boost::system::system_error( + errno, + boost::system::system_category(), + "Failed to open CA certificate file"); + } + + return std::string(std::istreambuf_iterator(f), std::istreambuf_iterator()); +} static config make_tls_config() { config cfg; cfg.use_ssl = true; cfg.addr.host = get_server_hostname(); - cfg.addr.port = "16380"; + cfg.addr.port = "16379"; return cfg; } @@ -100,6 +95,7 @@ BOOST_AUTO_TEST_CASE(exec_default_ssl_context) // Users can pass a custom context with TLS config BOOST_AUTO_TEST_CASE(exec_custom_ssl_context) { + std::string ca_pem = load_ca_certificate(); auto const cfg = make_tls_config(); constexpr std::string_view ping_value = "Kabuf"; @@ -113,7 +109,7 @@ BOOST_AUTO_TEST_CASE(exec_custom_ssl_context) // Configure the SSL context to trust the CA that signed the server's certificate. // The test certificate uses "redis" as its common name, regardless of the actual server's hostname - ctx.add_certificate_authority(net::const_buffer(ca_certificate, std::strlen(ca_certificate))); + ctx.add_certificate_authority(net::buffer(ca_pem)); ctx.set_verify_mode(net::ssl::verify_peer); ctx.set_verify_callback(net::ssl::host_name_verification("redis")); diff --git a/tools/docker-compose.yml b/tools/docker-compose.yml index c524dcf18..1b9796eb8 100644 --- a/tools/docker-compose.yml +++ b/tools/docker-compose.yml @@ -9,14 +9,14 @@ services: --replica-announce-ip localhost \ --port 6379 \ --tls-port 16379 \ - --tls-cert-file /docker/tls/server.crt \ - --tls-key-file /docker/tls/server.key \ - --tls-ca-cert-file /docker/tls/ca.crt \ + --tls-cert-file /tls/server.crt \ + --tls-key-file /tls/server.key \ + --tls-ca-cert-file /tls/ca.crt \ --tls-auth-clients no \ --unixsocket /tmp/redis-socks/redis.sock \ --unixsocketperm 777' volumes: - - ./docker:/docker + - /tmp/boost-redis-tls:/tls - /tmp/redis-socks:/tmp/redis-socks redis-replica-1: @@ -30,13 +30,13 @@ services: "--replicaof", "localhost", "6379", "--port", "6380", "--tls-port", "16380", - "--tls-cert-file", "/docker/tls/server.crt", - "--tls-key-file", "/docker/tls/server.key", - "--tls-ca-cert-file", "/docker/tls/ca.crt", + "--tls-cert-file", "/tls/server.crt", + "--tls-key-file", "/tls/server.key", + "--tls-ca-cert-file", "/tls/ca.crt", "--tls-auth-clients", "no", ] volumes: - - ./docker:/docker + - /tmp/boost-redis-tls:/tls redis-replica-2: @@ -50,13 +50,13 @@ services: "--replicaof", "localhost", "6379", "--port", "6381", "--tls-port", "16381", - "--tls-cert-file", "/docker/tls/server.crt", - "--tls-key-file", "/docker/tls/server.key", - "--tls-ca-cert-file", "/docker/tls/ca.crt", + "--tls-cert-file", "/tls/server.crt", + "--tls-key-file", "/tls/server.key", + "--tls-ca-cert-file", "/tls/ca.crt", "--tls-auth-clients", "no", ] volumes: - - ./docker:/docker + - /tmp/boost-redis-tls:/tls sentinel-1: @@ -67,9 +67,9 @@ services: sh -c 'cat << EOF > /etc/sentinel.conf && redis-sentinel /etc/sentinel.conf port 26379 tls-port 36379 - tls-cert-file /docker/tls/server.crt - tls-key-file /docker/tls/server.key - tls-ca-cert-file /docker/tls/ca.crt + tls-cert-file /tls/server.crt + tls-key-file /tls/server.key + tls-ca-cert-file /tls/ca.crt tls-auth-clients no sentinel resolve-hostnames yes sentinel announce-hostnames yes @@ -80,7 +80,7 @@ services: sentinel parallel-syncs mymaster 1 EOF' volumes: - - ./docker:/docker + - /tmp/boost-redis-tls:/tls sentinel-2: @@ -91,9 +91,9 @@ services: sh -c 'cat << EOF > /etc/sentinel.conf && redis-sentinel /etc/sentinel.conf port 26380 tls-port 36380 - tls-cert-file /docker/tls/server.crt - tls-key-file /docker/tls/server.key - tls-ca-cert-file /docker/tls/ca.crt + tls-cert-file /tls/server.crt + tls-key-file /tls/server.key + tls-ca-cert-file /tls/ca.crt tls-auth-clients no sentinel resolve-hostnames yes sentinel announce-hostnames yes @@ -104,7 +104,7 @@ services: sentinel parallel-syncs mymaster 1 EOF' volumes: - - ./docker:/docker + - /tmp/boost-redis-tls:/tls sentinel-3: container_name: sentinel-3 @@ -114,9 +114,9 @@ services: sh -c 'cat << EOF > /etc/sentinel.conf && redis-sentinel /etc/sentinel.conf port 26381 tls-port 36381 - tls-cert-file /docker/tls/server.crt - tls-key-file /docker/tls/server.key - tls-ca-cert-file /docker/tls/ca.crt + tls-cert-file /tls/server.crt + tls-key-file /tls/server.key + tls-ca-cert-file /tls/ca.crt tls-auth-clients no sentinel resolve-hostnames yes sentinel announce-hostnames yes @@ -127,7 +127,7 @@ services: sentinel parallel-syncs mymaster 1 EOF' volumes: - - ./docker:/docker + - /tmp/boost-redis-tls:/tls builder: @@ -137,4 +137,5 @@ services: tty: true volumes: - ../:/boost-redis + - /tmp/boost-redis-tls:/tmp/boost-redis-tls - /tmp/redis-socks:/tmp/redis-socks diff --git a/tools/docker/tls/ca.crt b/tools/docker/tls/ca.crt deleted file mode 100644 index ac241b89c..000000000 --- a/tools/docker/tls/ca.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDhzCCAm+gAwIBAgIUZGttu4o/Exs08EHCneeD3gHw7KkwDQYJKoZIhvcNAQEL -BQAwUjELMAkGA1UEBhMCRVMxGjAYBgNVBAoMEUJvb3N0LlJlZGlzIENJIENBMQsw -CQYDVQQLDAJJVDEaMBgGA1UEAwwRYm9vc3QtcmVkaXMtY2ktY2EwIBcNMjUwNjA3 -MTI0NzUwWhgPMjA4MDAzMTAxMjQ3NTBaMFIxCzAJBgNVBAYTAkVTMRowGAYDVQQK -DBFCb29zdC5SZWRpcyBDSSBDQTELMAkGA1UECwwCSVQxGjAYBgNVBAMMEWJvb3N0 -LXJlZGlzLWNpLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7XV -sOoHB2J/5VtyJmMOzxhBbHKyQgW1YnMvYIb1JqIm7VuICA831SUw76n3j8mIK3zz -FfK2eYyUWf4Uo2j3uxmXDyjujqzIaUJNLcB53CQXkmIbqDigNhzUTPZ5A2MQ7xT+ -t1eDbjsZ7XIM+aTShgtrpyxiccsgPJ3/XXme2RrqKeNvYsTYY6pquWZdyLOg/LOH -IeSJyL1/eQDRu/GsZjnR8UOE6uHfbjrLWls7Tifj/1IueVYCEhQZpJSWS8aUMLBZ -fi+t9YMCCK4DGy+6QlznGgVqdFFbTUt2C7tzqz+iF5dxJ8ogKMUPEeFrWiZpozoS -t60jV8fKwdXz854jLQIDAQABo1MwUTAdBgNVHQ4EFgQU2SoWvvZUW8JiDXtyuXZK -deaYYBswHwYDVR0jBBgwFoAU2SoWvvZUW8JiDXtyuXZKdeaYYBswDwYDVR0TAQH/ -BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAqY4hGcdCFFPL4zveSDhR9H/akjae -uXbpo/9sHZd8e3Y4BtD8K05xa3417H9u5+S2XtyLQg5MON6J2LZueQEtE3wiR3ja -QIWbizqp8W54O5hTLQs6U/mWggfuL2R/HUw7ab4M8JobwHNEMK/WKZW71z0So/kk -W3wC0+1RH2PjMOZrCIflsD7EXYKIIr9afypAbhCQmCfu/GELuNx+LmaPi5JP4TTE -tDdhzWL04JLcZnA0uXb2Mren1AR9yKYH2I5tg5kQ3Bn/6v9+JiUhiejP3Vcbw84D -yFwRzN54bLanrJNILJhHPwnNIABXOtGUV05SZbYazJpiMst1a6eqDZhv/Q== ------END CERTIFICATE----- diff --git a/tools/docker/tls/ca.key b/tools/docker/tls/ca.key deleted file mode 100644 index ab64d6625..000000000 --- a/tools/docker/tls/ca.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7tdWw6gcHYn/l -W3ImYw7PGEFscrJCBbVicy9ghvUmoibtW4gIDzfVJTDvqfePyYgrfPMV8rZ5jJRZ -/hSjaPe7GZcPKO6OrMhpQk0twHncJBeSYhuoOKA2HNRM9nkDYxDvFP63V4NuOxnt -cgz5pNKGC2unLGJxyyA8nf9deZ7ZGuop429ixNhjqmq5Zl3Is6D8s4ch5InIvX95 -ANG78axmOdHxQ4Tq4d9uOstaWztOJ+P/Ui55VgISFBmklJZLxpQwsFl+L631gwII -rgMbL7pCXOcaBWp0UVtNS3YLu3OrP6IXl3EnyiAoxQ8R4WtaJmmjOhK3rSNXx8rB -1fPzniMtAgMBAAECggEAffDzTf7G9oJ08yrWvMCrl/FbO+r8hOWVnFdSCz6hTulu -msRV0ap8OGr6mWJ9ciCyVxM/eZNeMNFMW9DogfcUd5kkzAwXeuycjlros3C3kic5 -FYLzsXtEqunO21BnQwl9vBtnBxYVXakTrUdfQ0P95+fTs9dIubaii2kqg8ns9RY+ -ebz2vnviNQaVL4WK3ohX+PJ7pimAM8KAwHl7e1RQn/ORghSycr9TAZKEqeZRlvtW -2TJBTknyr0Uo8KNi5L4nxi1qspgm9W7lFcmmv2cIkQsWFZvRY3a7iYsD6DOt2kaA -yFYlW6+n2V0uE6sYxZKe++VnSsueSDPzhmpRsiQONQKBgQDjV+vyoWqEaZoTVIpI -Ody1cOWwaqp0xnzaB/xsGYCWiW2wTWkq5Xpkp+Ia9w3YhHSEp7y6QYzNtofF8008 -LNKWynrhvq9isfrxcz5aqqf3ZYpFbJrxLJMzmF+H70G0HO/cXKg0FAYNnq1arkUZ -kQHWV8u/Bov5mLv9tVpmhzP7FwKBgQDTXwCqdJ1vNnZyXGhgCGVvMp6l1gw7RoF6 -LxrP4bR5vNhTa5xs8ibxpj2jd2ZmdzV6Y1r2imedsbKNlnvgDMVIWBtYWBFqjz9q -I88xtfiHLj1rFI21aI4TrWhxafmSBC6gli+1I840l6DtVE8xT/qCDveP/Umzivj8 -XLd+y8BuWwKBgQDXzWPZw0ObQarR4pQJD3Pkf7BokDgR9UAary37ZxHa08Vdb33/ -DCnsVjiZJB7ugn0gVyEdJJAFzdiAHP4ZuuqD3NxcYWeWph/xBlYQNqKOgsKIOBm0 -CX4JogA8xu51jGpboVDBbqh4UUF5LKfHJxC5aEmtoQdJ/KOmp3mSjZDYLQKBgFtW -klMWUXHddxG0HOZiunJyzVucQ2zZ6tmBwXRTdEmm8VQbDF2Hxoxl6fzZe8aLfPCG -PqiK5nuebioA/Ua0PgwlBqwGYoBJpn2XO9GfcOX5dVDwcMwTglG+fYOE5/PRGtUK -EVOVRWY0n7Xu2MnWZcoN7ayrJ04On8ltx11jbqRBAoGBAKvtJS0dKpsP6WvIrjQR -pqVxrpxnhWsgbSRNqCAFsqKwEGsrIXXVQIcOyrNSm1l6GxCWm7lnmkEcvddGy67f -0H/LqMItt1G5Dex96Zslhainz0oEE2yVX1x2H4qb0A1vEjviC/RVxFBheZrkWtEP -zQx9D/Gk2S471503xdYgUAv3 ------END PRIVATE KEY----- diff --git a/tools/docker/tls/server.crt b/tools/docker/tls/server.crt deleted file mode 100644 index a91efaea4..000000000 --- a/tools/docker/tls/server.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDITCCAgkCFHexGHCisYJHDP/5HAFcT32jXvf8MA0GCSqGSIb3DQEBCwUAMFIx -CzAJBgNVBAYTAkVTMRowGAYDVQQKDBFCb29zdC5SZWRpcyBDSSBDQTELMAkGA1UE -CwwCSVQxGjAYBgNVBAMMEWJvb3N0LXJlZGlzLWNpLWNhMCAXDTI1MDYwNzEyNDc1 -MFoYDzIwODAwMzEwMTI0NzUwWjBGMQswCQYDVQQGEwJFUzEaMBgGA1UECgwRQm9v -c3QuUmVkaXMgQ0kgQ0ExCzAJBgNVBAsMAklUMQ4wDAYDVQQDDAVyZWRpczCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJeG8SyA6sOzdWn/G0KlugX1Se1e -S3xNSjk6pgaB6OELU1T8NRz3wpHlc2xGY6mEbZjBx/CEG7kukU6SLPPrwEu3cxDZ -wgxVyYaoVE5lD5Ue5lsowegO/jYsuDtB1ZbOby39LO3fLAte+aoLAoZam9Vpoatm -QvmYqgITSGGEPJSOapdu7UQBt0mcy1vY1eD+vNcZ/epk/cWBA5MU6hbGCa+8Mkky -tsDZ72D+OmdqZUJ4sSVU0fVZxjsQFhideUAu17UGYPqrQrvtzXMxDtMY7p4aBa+b -7QNfZ3wjNXnskXiDbiJ2F9UHamtTSd6IdXfU520davfeYJHfpr0NNZeS3IMCAwEA -ATANBgkqhkiG9w0BAQsFAAOCAQEAZitqMQOMwkYp9vfb4qdkuxoOIBq6Sx6aSXen -rS1N2g5eIhOV7mDyOgxPLVT3kZDsGKYGpbrjHFoYd9zALO0ZY05Vgm2Hlg10oCjq -iEdWr+PDDSRH762n4MNXZToG3ijPXNfNbMwDuXg0fG96P9D19dOsGwRUBWnaG8F0 -v3K+rEOXZNVZU4v7FhyNUmyqdpk2TQpj+k5aBwdOAWGfExeOo36AGJ5+JRR/85DA -rEPISY29eUwH8q+Pmj2DZ3YNee+6f/YvkO4+Ms9h74KqaIr/R/jeLnlUPx7szFmu -Ko9+AB0KA84HwkZhf1lPZrxouEqD5JZQ8xvjqhSFG/BxvqgW+w== ------END CERTIFICATE----- diff --git a/tools/docker/tls/server.key b/tools/docker/tls/server.key deleted file mode 100644 index d425eaba6..000000000 --- a/tools/docker/tls/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCXhvEsgOrDs3Vp -/xtCpboF9UntXkt8TUo5OqYGgejhC1NU/DUc98KR5XNsRmOphG2YwcfwhBu5LpFO -kizz68BLt3MQ2cIMVcmGqFROZQ+VHuZbKMHoDv42LLg7QdWWzm8t/Szt3ywLXvmq -CwKGWpvVaaGrZkL5mKoCE0hhhDyUjmqXbu1EAbdJnMtb2NXg/rzXGf3qZP3FgQOT -FOoWxgmvvDJJMrbA2e9g/jpnamVCeLElVNH1WcY7EBYYnXlALte1BmD6q0K77c1z -MQ7TGO6eGgWvm+0DX2d8IzV57JF4g24idhfVB2prU0neiHV31OdtHWr33mCR36a9 -DTWXktyDAgMBAAECggEAFHUTen6tM163K2hVtdnKE6PaJ0HjzxRgQPm6EIbZegid -Z4vlX9PTYP8pZiTar7hBU65V4BL16zpuQ71YdFYP0CkkT9IWcLPkUVnIiAz83ZUe -ZJBMHZhomcfP17A7tfCI8hyMRFEtERvxeROjc6AoCdgJC6ryv9/sk/smeoPv6d5b -NyRBA1TbQ7yV/Z1yTymkGsUHDSzqnogrB3/t8DCpbGHWj5mUCiQP0rTFAhjQNG0g -xaOfJEf/zyQNBREz2G/0d00ZhPx8CdwRuKVCNX+z/3hrJm4BGyiN8/B246TBZR6B -8Bv3bXwl7udCWgbc8yLxhDQQnxmr/0hEz3uKoMBdgQKBgQDFxHJy6Ko+2b4RICir -zCtx4xM5cU5MoFVvJPatYxmPBnDUGGgkxAtuKyHzerI0dX6yk9BJtR7Uy0HyTLv+ -2iCBcukq1ssI6GFgV+SCoqFq+DZfDEho11UlAeXtvYLsUxOTdlbyqg72q74gh1rb -jD9kG+9bycwWlhnWbkyNDT0aJwKBgQDEJPCrNTYuHqFW3wC3X3lj0uTrwh3fkeDF -gqIDwhCoHSnzrNo0XkAY2v5PhYyb0ThW6Gvbz/6k2MdOlcT7Ru4Ff6Nv8isw2N5+ -GT7PALrTwjtM3O10KtWvXgvleeB44dofsFlBmJTSysYyGVeGppxSgLM+TqRA7cLq -7up+DuCwRQKBgQCBeNeYhNuX5AM7wPr/Zd33ZDrcu2IQZlMoPWHFJ4C/Eu9g202q -7DGzgUdr2CK8l0NH899DsfCqTRsyXqwg73qiZLFjm1U20rOVWFVAdOoKVs95sFfj -Uz3pyXFXEF+bCdRiEPJhUZYURWFmeFayLwH9LxCn3dff3YqyyGkTWtxqtwKBgQCg -F5KD+zuMqx1+nSelg/y9WF3We6sMVrHCI9x++r/Dp4IdTKERCzh/0Qau+08Hwt2c -OboHQJ4UCIesgZu0iHEv9bz9Wwibpvb6rzpPlMXonujt1IjPP0MIDtfg5fgsUhNJ -uBMx8grOfgkEzSBeW9DNmhQyr9dq02U7gePNHfGQjQKBgQCw4LlrJHaWIAvh9hgH -MAYtlkxJkZwASWCntab241ZXQvD27+Nuc/wlBWN/unGJ2ip++IOHpG0rRtg58/lH -6/lzJ9wBISD5JOPU7av/iBirz9r3A5j7es9V3qer/69D+qh7lZHuKWHkOdgorgH0 -3XVmr7yPNQQs4Jw/JKrMmVHX6A== ------END PRIVATE KEY----- diff --git a/tools/gen-certificates.sh b/tools/gen-certificates.sh index 491e50324..7597e27b4 100755 --- a/tools/gen-certificates.sh +++ b/tools/gen-certificates.sh @@ -7,10 +7,16 @@ # # Generates the ca and certificates used for CI testing. -# Run this in the directory where you want the certificates to be generated. set -e +out_dir=/tmp/boost-redis-tls/ + +# Clean up results from previous runs +rm -rf $out_dir +mkdir $out_dir +cd $out_dir + # CA private key openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048 From ba8b6fdb6f227beb3f83221a73ad193feba3a7dd Mon Sep 17 00:00:00 2001 From: Ruben Perez Date: Tue, 17 Feb 2026 14:50:46 +0100 Subject: [PATCH 2/5] env var customization --- test/common.cpp | 2 +- test/common.hpp | 2 ++ test/test_conn_tls.cpp | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/test/common.cpp b/test/common.cpp index 54b3697f6..e13de33a6 100644 --- a/test/common.cpp +++ b/test/common.cpp @@ -37,7 +37,7 @@ void run( conn->async_run(cfg, run_callback{conn, op, ec}); } -static std::string safe_getenv(const char* name, const char* default_value) +std::string safe_getenv(const char* name, const char* default_value) { // MSVC doesn't like getenv #ifdef BOOST_MSVC diff --git a/test/common.hpp b/test/common.hpp index 569a7bcd5..1dafbe260 100644 --- a/test/common.hpp +++ b/test/common.hpp @@ -47,3 +47,5 @@ std::string_view find_client_info(std::string_view client_info, std::string_view void create_user(std::string_view port, std::string_view username, std::string_view password); boost::redis::logger make_string_logger(std::string& to); + +std::string safe_getenv(const char* name, const char* default_value); diff --git a/test/test_conn_tls.cpp b/test/test_conn_tls.cpp index 14dcef21b..bd553be0c 100644 --- a/test/test_conn_tls.cpp +++ b/test/test_conn_tls.cpp @@ -33,13 +33,13 @@ namespace { // Should be in /tmp/ std::string load_ca_certificate() { - constexpr const char* ca_path = "/tmp/boost-redis-tls/ca.crt"; + auto ca_path = safe_getenv("BOOST_REDIS_CA_PATH", "/tmp/boost-redis-tls/ca.crt"); std::ifstream f(ca_path); if (!f) { throw boost::system::system_error( errno, boost::system::system_category(), - "Failed to open CA certificate file"); + "Failed to open CA certificate file '" + ca_path + "'"); } return std::string(std::istreambuf_iterator(f), std::istreambuf_iterator()); From 1f406497e26c83ccee89b5ecdebea3ccc63e3753 Mon Sep 17 00:00:00 2001 From: Ruben Perez Date: Tue, 17 Feb 2026 14:58:48 +0100 Subject: [PATCH 3/5] Change default, allow customization --- .github/workflows/ci.yml | 2 ++ test/test_conn_tls.cpp | 4 ++-- tools/docker-compose.yml | 14 +++++++------- tools/gen-certificates.sh | 8 +------- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14d5b4210..7b1ed9615 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -235,6 +235,8 @@ jobs: - name: Generate TLS certificates run: | + mkdir /opt/ci-tls + cd /opt/ci-tls ./tools/gen-certificates.sh - name: Set up the required containers diff --git a/test/test_conn_tls.cpp b/test/test_conn_tls.cpp index bd553be0c..9e588884e 100644 --- a/test/test_conn_tls.cpp +++ b/test/test_conn_tls.cpp @@ -33,7 +33,7 @@ namespace { // Should be in /tmp/ std::string load_ca_certificate() { - auto ca_path = safe_getenv("BOOST_REDIS_CA_PATH", "/tmp/boost-redis-tls/ca.crt"); + auto ca_path = safe_getenv("BOOST_REDIS_CA_PATH", "/opt/ci-tls/ca.crt"); std::ifstream f(ca_path); if (!f) { throw boost::system::system_error( @@ -45,7 +45,7 @@ std::string load_ca_certificate() return std::string(std::istreambuf_iterator(f), std::istreambuf_iterator()); } -static config make_tls_config() +config make_tls_config() { config cfg; cfg.use_ssl = true; diff --git a/tools/docker-compose.yml b/tools/docker-compose.yml index 1b9796eb8..14c3f45af 100644 --- a/tools/docker-compose.yml +++ b/tools/docker-compose.yml @@ -16,7 +16,7 @@ services: --unixsocket /tmp/redis-socks/redis.sock \ --unixsocketperm 777' volumes: - - /tmp/boost-redis-tls:/tls + - /opt/ci-tls:/tls - /tmp/redis-socks:/tmp/redis-socks redis-replica-1: @@ -36,7 +36,7 @@ services: "--tls-auth-clients", "no", ] volumes: - - /tmp/boost-redis-tls:/tls + - /opt/ci-tls:/tls redis-replica-2: @@ -56,7 +56,7 @@ services: "--tls-auth-clients", "no", ] volumes: - - /tmp/boost-redis-tls:/tls + - /opt/ci-tls:/tls sentinel-1: @@ -80,7 +80,7 @@ services: sentinel parallel-syncs mymaster 1 EOF' volumes: - - /tmp/boost-redis-tls:/tls + - /opt/ci-tls:/tls sentinel-2: @@ -104,7 +104,7 @@ services: sentinel parallel-syncs mymaster 1 EOF' volumes: - - /tmp/boost-redis-tls:/tls + - /opt/ci-tls:/tls sentinel-3: container_name: sentinel-3 @@ -127,7 +127,7 @@ services: sentinel parallel-syncs mymaster 1 EOF' volumes: - - /tmp/boost-redis-tls:/tls + - /opt/ci-tls:/tls builder: @@ -137,5 +137,5 @@ services: tty: true volumes: - ../:/boost-redis - - /tmp/boost-redis-tls:/tmp/boost-redis-tls + - /opt/ci-tls:/opt/ci-tls - /tmp/redis-socks:/tmp/redis-socks diff --git a/tools/gen-certificates.sh b/tools/gen-certificates.sh index 7597e27b4..491e50324 100755 --- a/tools/gen-certificates.sh +++ b/tools/gen-certificates.sh @@ -7,16 +7,10 @@ # # Generates the ca and certificates used for CI testing. +# Run this in the directory where you want the certificates to be generated. set -e -out_dir=/tmp/boost-redis-tls/ - -# Clean up results from previous runs -rm -rf $out_dir -mkdir $out_dir -cd $out_dir - # CA private key openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048 From d4233b2ad728145b38fb2a37d82118e38f40d167 Mon Sep 17 00:00:00 2001 From: Ruben Perez Date: Tue, 17 Feb 2026 15:06:56 +0100 Subject: [PATCH 4/5] Gen fixes --- .github/workflows/ci.yml | 2 -- tools/gen-certificates.sh | 6 +++++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b1ed9615..14d5b4210 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -235,8 +235,6 @@ jobs: - name: Generate TLS certificates run: | - mkdir /opt/ci-tls - cd /opt/ci-tls ./tools/gen-certificates.sh - name: Set up the required containers diff --git a/tools/gen-certificates.sh b/tools/gen-certificates.sh index 491e50324..aa199b61b 100755 --- a/tools/gen-certificates.sh +++ b/tools/gen-certificates.sh @@ -7,10 +7,14 @@ # # Generates the ca and certificates used for CI testing. -# Run this in the directory where you want the certificates to be generated. +# Usage: gen-certificates.sh [output-dir] set -e +OUTPUT_DIR="${1:-/opt/ci-tls}" +mkdir -p "$OUTPUT_DIR" +cd "$OUTPUT_DIR" + # CA private key openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048 From 55a0ade43b1be15f356474bf612bbc6ffd4eb40d Mon Sep 17 00:00:00 2001 From: Ruben Perez Date: Tue, 17 Feb 2026 15:15:55 +0100 Subject: [PATCH 5/5] perm fixes --- tools/gen-certificates.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/gen-certificates.sh b/tools/gen-certificates.sh index aa199b61b..98cdabd62 100755 --- a/tools/gen-certificates.sh +++ b/tools/gen-certificates.sh @@ -32,3 +32,7 @@ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -out server.crt -days 20000 -sha256 rm server.csr rm ca.srl + +# Required when running with Docker because of mismatched user IDs +chmod 444 * +