tls-connection

command module

v0.0.0-...-5a3f74c Latest Latest Go to latest Published: May 7, 2026 License: BSD-2-Clause Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/redis/go-redis

Links

Open Source Insights

README ¶

TLS Connection Examples

Shows different ways to connect to Redis over TLS.

Running

Start Redis with TLS:

cd ../..
docker compose --profile standalone up -d

Then run the example:

go run .

Connection Methods

1. InsecureSkipVerify (for testing)

Quick way to test with self-signed certs:

client := redis.NewClient(&redis.Options{
    Addr: "localhost:6666",
    TLSConfig: &tls.Config{
        InsecureSkipVerify: true,
    },
})

Don't use this in production.

2. With CA certificate

Proper way for production:

caCert, _ := os.ReadFile("path/to/ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

client := redis.NewClient(&redis.Options{
    Addr: "localhost:6666",
    TLSConfig: &tls.Config{
        RootCAs:    caCertPool,
        ServerName: "localhost",
    },
})

3. Mutual TLS

If Redis requires client certs:

caCert, _ := os.ReadFile("path/to/ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

cert, _ := tls.LoadX509KeyPair("path/to/client.crt", "path/to/client.key")

client := redis.NewClient(&redis.Options{
    Addr: "localhost:6666",
    TLSConfig: &tls.Config{
        RootCAs:      caCertPool,
        Certificates: []tls.Certificate{cert},
        ServerName:   "localhost",
    },
})

4. Using rediss:// URL

opt, _ := redis.ParseURL("rediss://localhost:6666")
opt.TLSConfig = &tls.Config{
    InsecureSkipVerify: true, // for testing only
}
client := redis.NewClient(opt)

5. Certificate-based auth

Redis 6.2+ can authenticate users based on the certificate CN field. You need to configure Redis with:

tls-auth-clients optional
tls-auth-clients-user CN

Then the CN in your client cert becomes your username - no password needed.

Check ../../tls_cert_auth_test.go for a working example that:

Generates a client cert with a specific CN
Connects to Redis with that cert
Verifies auth based on the CN

Note: Current Redis test build doesn't support this yet, so the test skips gracefully.

Tests

Run the TLS tests:

go test -v -run "^TestTLS" -timeout 30s

Notes

Always verify certs in production (don't use InsecureSkipVerify)
Keep your private keys safe
Use TLS 1.2 or higher

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL