enable tls encryption, considerations, and prerequisites - Tair (Redis® OSS-Compatible)

Tair (Redis OSS-compatible) supports the Transport Layer Security (TLS) protocol. TLS uses stronger encryption and offers higher security than the older Secure Sockets Layer (SSL) protocol. This helps protect your data during transmission.

Background information

TLS builds on the now-deprecated SSL protocol and becomes the widely used standard cryptographic protocol to provide communications security over a computer network. Compared with SSL, TLS has the following advantages:

Enhanced encryption: provides encryption by using more powerful technologies such as the Advanced Encryption Standard (AES) algorithm.
Enhanced security: uses more secure algorithms and protocols such as the Secure Hash Algorithm 2 (SHA-2).
Improved compatibility: serves as an up-to-date protocol that is compatible with more browsers and servers, and supports more encryption protocols and cipher suites.
Timely updates: supports real-time updates of encryption algorithms and protocols.

In this context, if you want to encrypt network connections at the transport layer, we recommend that you use TLS. By default, TLS is disabled.

Prerequisites

The instance must meet the following requirements:

The instance is a Tair (Enterprise Edition) memory-optimized or persistent memory instance, or a Redis Open-Source Edition 5.0, 6.0, or 7.0 instance.
The instance uses the master-replica architecture to ensure high availability.
If a public endpoint is allocated to the instance, release the public endpoint. You can enable TLS encryption for the instance only after the public endpoint is released.
Note
If a private endpoint is allocated to a local disk-based cluster instance, release the private endpoint before you enable TLS encryption for the instance.

Considerations

Creating a TLS connection requires multiple handshake steps, such as authentication and key exchange. These steps consume significant computing resources and time, which makes creating a TLS connection much slower than creating a standard connection. You cannot quickly create many TLS connections in a short period. Frequently creating TLS connections significantly increases the latency of normal requests. Therefore, use persistent TLS connections to reduce this overhead. Avoid frequently creating and destroying TLS connections to minimize the performance impact.
After a TLS connection is established, transferring data over it incurs additional overhead because all data must be encrypted and decrypted. This overhead increases with the content size.
Note
The specific performance impact varies by scenario. You must perform tests to evaluate the impact in your specific environment.
After you enable TLS encryption, you can no longer request a public endpoint for the instance. For cluster instances in the classic network, you also cannot request a direct connection endpoint. Clients can connect to the instance only over a virtual private cloud (VPC) using TLS encryption. For connection examples, see Enable TLS (SSL) encrypted connections to an instance.
After you enable TLS encryption, you cannot migrate the instance to another zone.
After you enable TLS encryption, if you change the instance's endpoint or port number, you must update the instance's TLS certificate before you connect. Otherwise, the error No subject alternative DNS name matching xxx found is reported.

Procedure

Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the navigation pane on the left, click TLS Settings (SSL).
Click Enable.
In the dialog box that appears, select a TLS version.
Parameter description:
- TLSv1.3 (Recommended): RFC 8446, published in 2018. Compared with TLSv1.2, TLSv1.3 is faster and more secure.
- TLSv1.2 (Recommended): RFC 5246, published in 2008. It uses strong encryption technology to provide a high level of security.
- TLSv1.1: RFC 4346, published in 2006. It fixes several vulnerabilities in TLSv1.0.
- TLSv1.0: RFC 2246, published in 1999. It is based on SSLv3.0. This version is vulnerable to various attacks, such as BEAST and POODLE.
Click OK.
Warning
This operation restarts the instance, which may cause a transient connection error that lasts for a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application is configured to automatically reconnect.
You can then refresh the console page to check the status of the TLS feature.
After you enable TLS, you can click Download CA Certificate on the page to import the CA certificate to your client. The downloaded file is a compressed package that contains the following three files:
- ApsaraDB-CA-Chain.p7b: Used to import the CA certificate on Windows.
- ApsaraDB-CA-Chain.pem: Used to import the CA certificate on other systems, such as Linux, or in applications.
- ApsaraDB-CA-Chain.jks: A truststore certificate store file for Java. It is used to import the CA certificate chain into Java programs.
The CA certificates downloaded for different instances are the same. The certificate file is not password-protected. You can use it to connect to all Tair instances under your account.

Manage TLS encryption settings

After you enable TLS encryption for the instance, you can perform the following operations.

Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the navigation pane on the left, click TLS Settings (SSL).

Perform one of the following operations as needed.

Operation	Description
Update the CA certificate	On the page, click Update Certificate, and then click OK. When you enable TLS encryption, the certificate has a default validity period of 3 years. You cannot customize the validity period. The system initiates an O&M event to update the certificate 20 days before it expires. You can go to Event Center > Scheduled Events to change the O&M time. You can also click Update Certificate at any time. After the update, the certificate is valid for another 3 years. Warning This operation causes a transient connection error that lasts for a few seconds. Perform this operation during off-peak hours and make sure that your application is configured to automatically reconnect.
Change the TLS version	Click the icon to the right of TLS version, and then select the TLS version that you want to use from the drop-down list. We recommend using the TLSv1.2 version. Note If the TLS minimum version drop-down list is unavailable, upgrade the minor version of the instance and try again. For more information, see or Upgrade the minor version and proxy version.
Disable TLS encryption	Turn off the switch to the right of TLS Status. Warning This operation restarts the instance. A transient connection error that lasts for a few seconds may occur. Perform this operation during off-peak hours and make sure that your application is configured to automatically reconnect.

After you update the certificate or change the TLS version, you do not need to download the certificate file again. You can continue to use the existing file.

Related API

API	Description
ModifyInstanceTLS	Configures the TLS (SSL) encryption feature for an instance.

What to do next

Enable TLS (SSL) encrypted connections to an instance

FAQ

Why can't I enable the TLS feature for my instance?
If your instance uses the read/write splitting architecture in the classic network, you cannot enable the TLS feature.