Last updated: 2026-06-25

Redis TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Redis to encrypt connections between clients and the server. Redis 6.0 introduced native TLS support, eliminating the need for external tools like stunnel.

Prerequisites

  • Redis 7.x or later (compiled with TLS support)
  • OpenSSL 1.1.1 or later
  • SSL certificates (server certificate, private key, and CA certificate)

Redis must be compiled with TLS support. Check with:

redis-server --tls-port 6379 --tls-cert-file /dev/null --tls-key-file /dev/null 2>&1 | head -1

If you see an error about TLS not being available, you need to rebuild Redis with BUILD_TLS=yes:

make BUILD_TLS=yes

Most package managers provide TLS-enabled builds by default, but RHEL AppStream Redis packages are not compiled with TLS support. On RHEL, install Redis from the official redis.io repository or the Remi repository to get a TLS-enabled build.

Server Configuration

Add the following settings to your Redis configuration file (/etc/redis/redis.conf).

Enable TLS and Disable Plaintext

To accept only TLS connections, set the TLS port and disable the plaintext port:

tls-port 6379
port 0

Setting port 0 disables the unencrypted listener entirely. If you need to support both during a migration, you can run both temporarily:

tls-port 6380
port 6379

Certificate Files

tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt

Protocol Versions

Restrict to TLS 1.2 and TLS 1.3:

tls-protocols "TLSv1.2 TLSv1.3"

Cipher Suites

Configure strong cipher suites for TLS 1.2 and TLS 1.3:

tls-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
  • tls-ciphers sets TLS 1.2 cipher suites.
  • tls-ciphersuites sets TLS 1.3 cipher suites.

Additional Settings

tls-prefer-server-ciphers yes
tls-session-caching yes
tls-session-cache-size 20480
tls-session-cache-timeout 300

Note: The tls-session-caching, tls-session-cache-size, and tls-session-cache-timeout directives require Redis 6.2+. Omit them on older installations.

Client Certificate Authentication

To require clients to present a valid certificate (mutual TLS):

tls-auth-clients yes

Set to optional to allow but not require client certificates, or no to disable client cert verification:

tls-auth-clients optional

See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

Replication TLS

If you use Redis replication, enable TLS for replica-to-primary connections:

tls-replication yes

This ensures data replicated between Redis instances is encrypted.

Cluster TLS

For Redis Cluster, enable TLS for the cluster bus:

tls-cluster yes

Complete Server Configuration

# TLS port (disable plaintext)
tls-port 6379
port 0

# Certificate files
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt

# Protocol versions
tls-protocols "TLSv1.2 TLSv1.3"

# TLS 1.2 cipher suites
tls-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# Session settings
tls-prefer-server-ciphers yes
tls-session-caching yes
tls-session-cache-size 20480
tls-session-cache-timeout 300

# Client certificate authentication
tls-auth-clients optional

# Replication and cluster TLS
tls-replication yes
tls-cluster yes

Client Connections

redis-cli

Connect with TLS using redis-cli:

redis-cli --tls --cert /etc/redis/ssl/client.crt --key /etc/redis/ssl/client.key --cacert /etc/redis/ssl/ca.crt -h redis.example.com -p 6379

Without client certificates (if tls-auth-clients is not yes):

redis-cli --tls --cacert /etc/redis/ssl/ca.crt -h redis.example.com -p 6379

Connection URLs

Most Redis client libraries support TLS connection URLs:

rediss://redis.example.com:6379

Note the rediss:// scheme (with double s) which indicates TLS. The standard redis:// scheme connects without encryption.

Security Notes

The cipher suite and protocol configuration in this guide addresses the following known TLS vulnerabilities. Redis TLS support was introduced in Redis 6.0 (April 2020), and the OpenSSL version bundled with your distribution governs the available fixes:

  • POODLE (CVE-2014-3566, 2014): SSL 3.0 is excluded; tls-protocols TLSv1.2 TLSv1.3 disables older versions. Fixed in OpenSSL 1.0.1j / 1.0.2 (October 2014).
  • BEAST (CVE-2011-3389, 2011): Mitigated by requiring TLS 1.2 as the minimum; AEAD-only ciphers eliminate the CBC padding oracle.
  • CRIME (CVE-2012-4929, 2012): TLS compression is off by default in OpenSSL 1.1.0+; do not enable it.
  • Lucky13 (2013): AEAD-only cipher list eliminates CBC padding timing side-channels entirely.
  • FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers are excluded from the cipher string. Removed from OpenSSL 1.1.0 (August 2016).
  • LOGJAM (CVE-2015-4000, 2015): Short-key DHE is excluded; only ECDHE key exchange is recommended.
  • Sweet32 (CVE-2016-2183, 2016): 3DES is excluded from the cipher string.
  • ROBOT (2017): Static RSA key exchange is excluded; only ECDHE is recommended.
  • Downgrade attacks: TLS_FALLBACK_SCSV prevents protocol version rollback.

The following are not addressable through TLS configuration alone:

  • Heartbleed (CVE-2014-0160, 2014): A memory disclosure bug in OpenSSL 1.0.1 through 1.0.1f. Fixed in OpenSSL 1.0.1g (April 7, 2014). Redis 6.0 was released after this fix; standard distro packages are not affected. Addressed by patching OpenSSL, not by TLS configuration.
  • BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the Redis protocol does not involve HTTP.
  • DROWN (CVE-2016-0800, 2016): Requires SSLv2 to be enabled on any server sharing the same private key. Ensure SSLv2 is disabled on all services that use the same certificate and key pair.

Verification

Restart Redis and verify TLS is active:

systemctl restart redis        # Debian/Ubuntu: systemctl restart redis-server

Test the TLS connection:

openssl s_client -connect redis.example.com:6379

Verify from redis-cli:

redis-cli --tls --cacert /etc/redis/ssl/ca.crt -h redis.example.com INFO server | grep tcp_port
redis-cli --tls --cacert /etc/redis/ssl/ca.crt -h redis.example.com INFO server | grep ssl

Related Guides

Memcached

High-performance distributed memory cache.

MongoDB

Document-oriented NoSQL database.

MySQL

Popular open-source relational database.

PostgreSQL

Advanced open-source relational database.

View all Databases guides →

Configured TLS? Now Monitor It.

Generator Labs alerts you before certificates expire, get revoked, or fail chain validation, across HTTPS, SMTPS, IMAPS, LDAPS, and more.

Certificate Monitoring →