Overview
- Implemented using tokio-rustls and rustls-pemfile.
- Supports TLS 1.3 with TLS 1.2 fallback; no OpenSSL dependency.
- Uses a unified stream type that wraps either plain TCP or a TLS stream.
- When TLS is disabled, there is essentially zero overhead vs plain TCP.
Configuration
In redistill.toml:
[security]
tls_enabled = true
tls_cert_path = "path/to/server-cert.pem"
tls_key_path = "path/to/server-key.pem"
password = "your-secure-password"Start Redistill normally; it will load the certificates and listen for TLS connections.
Development workflow
For local development you can use self-signed certificates and connect with redis-cli:
# Generate test certs (see upstream tests/scripts)
./tests/scripts/generate_test_certs.sh
# Example config
[security]
tls_enabled = true
tls_cert_path = "tests/certs/server-cert.pem"
tls_key_path = "tests/certs/server-key.pem"Then connect using:
redis-cli --tls --insecure -h 127.0.0.1 -p 6379 PINGProduction workflow
Using Let's Encrypt certificates on a public domain:
certbot certonly --standalone -d your-domain.comConfigure Redistill:
[security]
tls_enabled = true
tls_cert_path = "/etc/letsencrypt/live/your-domain.com/fullchain.pem"
tls_key_path = "/etc/letsencrypt/live/your-domain.com/privkey.pem"
password = "your-secure-password"Clients connect with TLS enabled:
redis-cli --tls -h your-domain.com -p 6379 PINGFuture enhancements
Planned improvements to the TLS subsystem include:
- Mutual TLS (mTLS) – client certificate authentication.
- Certificate reloading – hot reload without restarting the server.
- Cipher suite control – configurable cipher and protocol selection.
- TLS-aware metrics – exposing TLS version, cipher and error counters.
- ACME integration – built-in Let's Encrypt support.