Last updated: 2026-02-11

Redis TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Redis to encrypt connections between clients and the server. Redis 6.0 introduced native TLS support, eliminating the need for external tools like stunnel.

Prerequisites

• Redis 6.0 or later (compiled with TLS support)
• OpenSSL 1.1.1 or later
• SSL certificates (server certificate, private key, and CA certificate)

Redis must be compiled with TLS support. Check with:

redis-server --tls-port 6379 --tls-cert-file /dev/null --tls-key-file /dev/null 2>&1 | head -1

If you see an error about TLS not being available, you need to rebuild Redis with BUILD_TLS=yes:

make BUILD_TLS=yes

Most package managers provide TLS-enabled builds by default, but RHEL/CentOS AppStream Redis packages are not compiled with TLS support. On RHEL/CentOS, install Redis from the official redis.io repository or the Remi repository to get a TLS-enabled build.

Server Configuration

Add the following settings to your Redis configuration file (/etc/redis/redis.conf).

Enable TLS and Disable Plaintext

To accept only TLS connections, set the TLS port and disable the plaintext port:

tls-port 6379
port 0

Setting port 0 disables the unencrypted listener entirely. If you need to support both during a migration, you can run both temporarily:

tls-port 6380
port 6379

Certificate Files

tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt

Protocol Versions

Restrict to TLS 1.2 and TLS 1.3:

tls-protocols "TLSv1.2 TLSv1.3"

Cipher Suites

Configure strong cipher suites for TLS 1.2 and TLS 1.3:

tls-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

• tls-ciphers sets TLS 1.2 cipher suites.
• tls-ciphersuites sets TLS 1.3 cipher suites.

Additional Settings

tls-prefer-server-ciphers yes
tls-session-caching yes
tls-session-cache-size 20480
tls-session-cache-timeout 300

Note: On Redis 6.0 (RHEL 8, Debian 11, Ubuntu 22.04), omit the tls-session-caching, tls-session-cache-size, and tls-session-cache-timeout lines. These directives require Redis 6.2+.

Client Certificate Authentication

To require clients to present a valid certificate (mutual TLS):

tls-auth-clients yes

Set to optional to allow but not require client certificates, or no to disable client cert verification:

tls-auth-clients optional

Replication TLS

If you use Redis replication, enable TLS for replica-to-primary connections:

tls-replication yes

This ensures data replicated between Redis instances is encrypted.

Cluster TLS

For Redis Cluster, enable TLS for the cluster bus:

tls-cluster yes

Complete Server Configuration

# TLS port (disable plaintext)
tls-port 6379
port 0

# Certificate files
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt

# Protocol versions
tls-protocols "TLSv1.2 TLSv1.3"

# TLS 1.2 cipher suites
tls-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# Session settings
tls-prefer-server-ciphers yes
tls-session-caching yes            # Redis 6.2+ only
tls-session-cache-size 20480       # Redis 6.2+ only
tls-session-cache-timeout 300      # Redis 6.2+ only

# Client certificate authentication
tls-auth-clients optional

# Replication and cluster TLS
tls-replication yes
tls-cluster yes

Client Connections

redis-cli

Connect with TLS using redis-cli:

redis-cli --tls --cert /etc/redis/ssl/client.crt --key /etc/redis/ssl/client.key --cacert /etc/redis/ssl/ca.crt -h redis.example.com -p 6379

Without client certificates (if tls-auth-clients is not yes):

redis-cli --tls --cacert /etc/redis/ssl/ca.crt -h redis.example.com -p 6379

Connection URLs

Most Redis client libraries support TLS connection URLs:

rediss://redis.example.com:6379

Note the rediss:// scheme (with double s) which indicates TLS. The standard redis:// scheme connects without encryption.

Verification

Restart Redis and verify TLS is active:

systemctl restart redis        # Debian/Ubuntu: systemctl restart redis-server

Test the TLS connection:

openssl s_client -connect redis.example.com:6379

Verify from redis-cli:

redis-cli --tls --cacert /etc/redis/ssl/ca.crt -h redis.example.com INFO server | grep tcp_port
redis-cli --tls --cacert /etc/redis/ssl/ca.crt -h redis.example.com INFO server | grep ssl