Background information
TLS builds on the now-deprecated SSL protocol and becomes the widely used standard cryptographic protocol to provide communications security over a computer network. Compared with SSL, TLS has the following advantages:
Enhanced encryption: provides encryption by using more powerful technologies such as the Advanced Encryption Standard (AES) algorithm.
Enhanced security: uses more secure algorithms and protocols such as the Secure Hash Algorithm 2 (SHA-2).
Improved compatibility: serves as an up-to-date protocol that is compatible with more browsers and servers, and supports more encryption protocols and cipher suites.
Timely updates: supports real-time updates of encryption algorithms and protocols.
In this context, if you want to encrypt network connections at the transport layer, we recommend that you use TLS. By default, TLS is disabled.
Prerequisites
The instance for which you want to enable TLS encryption meets the following requirements:
The instance is a Tair (Enterprise Edition) DRAM-based or persistent memory-optimized instance or a Redis Open-Source Edition 5.0, 6.0, or 7.0 instance.
The instance uses the master-replica architecture to ensure high availability.
If a public endpoint is allocated to the instance, release the public endpoint. You can enable TLS encryption for the instance only after the public endpoint is released.
Note
If a private endpoint is allocated to a local disk-based cluster instance, release the private endpoint before you enable TLS encryption for the instance.
Precautions
When you create a TLS connection, several handshake steps are involved, including authentication and key exchange. These steps consume significant computing resources and a lot of time. Creating a TLS connection is significantly slower than creating a common connection. No TLS connections can be created in a short period of time. If you create TLS connections frequently, request processing is severely delayed. Therefore, we recommend that you use persistent TLS connections to reduce such overheads and that you avoid frequently creating and removing TLS connections to prevent performance degradation.
After the TLS connection is created, all data transmitted over the TLS connection is encrypted and decrypted, which incurs additional overheads. This increases in the size of the data transmitted.
Note
Performance impacts depend on business scenarios. You can perform tests to evaluate the performance impacts of a specific business environment.
After you enable TLS encryption for an instance, you cannot apply for a public endpoint for the instance. If you enable TLS encryption for a classic cluster instance, you also cannot apply for a private endpoint for the instance. Your client can connect to the instance only over a virtual private cloud (VPC) and the TLS protocol. For more information about how to connect to an instance for which TLS is enabled, see Use a client to connect to an instance for which TLS (SSL) encryption is enabled.
After TLS encryption is enabled for an instance, the instance cannot be migrated across zones.
If you change the endpoint or port number of an instance for which TLS encryption is enabled, renew the TLS certificate of the instance before you connect to the instance. Otherwise, the No subject alternative DNS name matching xxx found error is returned.
Procedure
Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click TLS Settings (SSL).
Click Enable.
In the dialog box that appears, select a TLS version.
Valid values of the TLS version parameter:
TLSv1.3 (recommended): TLS 1.3 was released in 2018 and its specifications are defined in RFC 8446. Compared with TLS 1.2, TLS 1.3 facilitates faster and more secure communication.
TLSv1.2 (recommended): TLS 1.2 was released in 2008 and its specifications are defined in RFC 5246. This version comes with more powerful encryption technologies and enhanced security.
TLSv1.1: TLS 1.1 was released in 2006 and its specifications are defined in RFC 4346. This version includes fixes for known vulnerabilities found in TLS 1.0.
TLSv1.0: TLS 1.0 was released in 1999 and its specifications are defined in RFC 2246. As an upgraded version of SSL 3.0, TLS 1.0 is susceptible to attacks such as BEAST and POODLE.
Click OK.
Warning
This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
You can refresh the page to update the TLS status of the instance.
After you enable TLS, you can click Download SSL Certificate to export the CA certificate to your client. The downloaded package contains the following files:
ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.
ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into non-Windows systems such as Linux or applications.
ApsaraDB-CA-Chain.jks: This file stores truststore certificates of Java and is used to import the CA certificate chain into Java applications.
The CA certificates provided for different instances are the same and can be used to connect to any instance.
Manage TLS settings
After you enable TLS for your instance, you can perform the following operations:
Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click TLS Settings (SSL).
Perform one of the following operations based on your business requirements.
Operation | Instruction |
Update the CA certificate | On the page that appears, click Update Certificate. Then, click OK. After you enable TLS, the TLS certificate is issued with a default validity period of three years. You cannot specify a custom validity period for the certificate. Tair (Redis OSS-compatible) initiates proactive O&M 20 days before the certificate expires to update the validity period of the certificate. You can choose to change the O&M time. Alternatively, you can click Update Certificate to renew the CA certificate, and then download and configure the CA certificate again. After the CA certificate is renewed, its validity is extended for another three years. Warning This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance. |
Change the TLS version | Click the  icon to the right of TLS version, and select the version to which you want to change from the drop-down list. We recommend that you select TLSv1.2. |
Disable TLS encryption | Turn off TLS Status. Warning This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance. |
After you renew the CA certificate or change the TLS version, you do not need to download the CA certificate again.
FAQ
Why am I unable to enable TLS for my instance?
If your instance is a classic instance that uses the read/write splitting architecture, you cannot enable TLS for the instance.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
