删除与 Azure Cache for Redis 配合使用的 TLS 1.0 和 1.1Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis

整个行业正趋向于使用传输层安全性 (TLS) 1.2 或更高版本。There's an industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later. TLS 版本 1.0 和 1.1 已知很容易遭到 BEAST 和 POODLE 之类的攻击,并且存在其他常见漏洞和披露 (CVE) 弱点。TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. 此外,它们不支持支付卡行业 (PCI) 合规性标准推荐的新式加密法和加密套件。They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. TLS 安全性博客详细说明了其中一些漏洞。This TLS security blog explains some of these vulnerabilities in more detail.

作为此项工作的一部分,我们将对 Azure Cache for Redis 进行以下更改:As a part of this effort, we'll be making the following changes to Azure Cache for Redis:

  • 第 1 阶段: 对于新创建的缓存实例,我们会将默认的最低 TLS 版本配置为 1.2(以前为 TLS 1.0)。Phase 1: We'll configure the default minimum TLS version to be 1.2 for newly created cache instances (previously TLS 1.0). 目前,不会更新现有的缓存实例。Existing cache instances won't be updated at this point. 如果需要,可以将最低 TLS 版本更改回 1.0 或1.1,以实现后向兼容性。You'll be allowed to change the minimum TLS version back to 1.0 or 1.1 for backward compatibility, if needed. 此更改可以通过 Azure 门户或其他管理 API 来完成。This change can be done through the Azure portal or other management APIs.
  • 阶段 2: 我们将停止支持 TLS 版本 1.0 和 1.1。Phase 2: We'll stop supporting TLS versions 1.0 and 1.1. 完成此更改后,应用程序将需要使用 TLS 1.2 或更高版本与缓存进行通信。After this change, your application will be required to use TLS 1.2 or later to communicate with your cache.

另外,作为此更改的一部分,我们将删除对较旧的不安全的加密套件的支持。Additionally, as a part of this change, we'll be removing support for older, insecure cypher suites. 如果为缓存配置最低 TLS 版本 (1.2),则受支持的加密套件会受到以下限制。Our supported cypher suites will be restricted to the following when the cache is configured with a minimum TLS version of 1.2.

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

本文提供了有关如何检测这些早期 TLS 版本的依赖项并将其从应用程序中删除的一般指导。This article provides general guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.

这些更改的生效日期为:The dates when these changes take effect are:

Cloud 阶段 1 开始日期Phase 1 Start Date 阶段 2 开始日期Phase 2 Start Date
Azure(全球)Azure (global) 2020 年 1 月 13 日January 13, 2020 由于新冠肺炎而推迟Postponed due to COVID 19
Azure GovernmentAzure Government 2020 年 3 月 13 日March 13, 2020 由于新冠肺炎而推迟Postponed due to COVID 19
Azure 德国Azure Germany 2020 年 3 月 13 日March 13, 2020 由于新冠肺炎而推迟Postponed due to COVID 19
Azure 中国世纪互联Azure China 21Vianet 2020 年 3 月 13 日March 13, 2020 由于新冠肺炎而推迟Postponed due to COVID 19

注意:尚未确定阶段 2 的新日期NOTE: New date for Phase 2 not yet determined

检查应用程序是否已合规Check whether your application is already compliant

确定应用程序是否能够使用 TLS 1.2 的最简单方法是,在测试或过渡缓存中将“最低 TLS 版本”值设置为 TLS 1.2,然后运行测试。The easiest way to find out whether your application will work with TLS 1.2 is to set the Minimum TLS version value to TLS 1.2 on a test or staging cache, then run tests. “最低 TLS 版本”设置位于Azure 门户的缓存实例的高级设置中。The Minimum TLS version setting is in the Advanced settings of your cache instance in the Azure portal. 如果做出此项更改后,应用程序可继续按预期方式运行,则应用程序可能是合规的。If the application continues to function as expected after this change, it's probably compliant. 可能需要将应用程序使用的 Redis 客户端库配置为启用 TLS 1.2,以便连接到 Azure Cache for Redis。You might need to configure the Redis client library used by your application to enable TLS 1.2 in order to connect to Azure Cache for Redis.

将应用程序配置为使用 TLS 1.2Configure your application to use TLS 1.2

大多数应用程序使用 Redis 客户端库来处理与缓存的通信。Most applications use Redis client libraries to handle communication with their caches. 这里说明了如何将以各种编程语言和框架编写的某些流行客户端库配置为使用 TLS 1.2。Here are instructions for configuring some of the popular client libraries, in various programming languages and frameworks, to use TLS 1.2.

.NET framework.NET Framework

在 .NET Framework 4.5.2 或更低版本上,Redis .NET 客户端默认使用最低的 TLS 版本;在 .NET Framework 4.6 或更高版本上,则使用最新的 TLS 版本。Redis .NET clients use the earliest TLS version by default on .NET Framework 4.5.2 or earlier, and use the latest TLS version on .NET Framework 4.6 or later. 如果使用的是较旧版本的 .NET Framework,则可以手动启用 TLS 1.2:If you're using an older version of .NET Framework, you can enable TLS 1.2 manually:

  • StackExchange.Redis: 在连接字符串中设置 ssl=truesslprotocols=tls12StackExchange.Redis: Set ssl=true and sslprotocols=tls12 in the connection string.
  • ServiceStack.Redis: 请按照 ServiceStack.Redis 说明操作,并至少需要 ServiceStack.Redis v5.6。ServiceStack.Redis: Follow the ServiceStack.Redis instructions and requires ServiceStack.Redis v5.6 at a minimum.

.NET Core.NET Core

Redis .NET Core 客户端默认为操作系统默认 TLS 版本,此版本明显取决于操作系统本身。Redis .NET Core clients default to the OS default TLS version which obviously depends on the OS itself.

根据操作系统版本和已应用的任何修补程序,有效的默认 TLS 版本可能会有所不同。Depending on the OS version and any patches which have been applied, the effective default TLS version can vary. 有一个关于此内容的信息源,也可以访问此处,阅读适用于 Windows 的相应文章。While there is one source of info about this, here is an article for Windows.

但是,如果你使用的是旧操作系统,或者只是想要确保我们建议通过客户端手动配置首选 TLS 版本。However, if you are using a old OS or just want to be sure, we recommend configuring the preferred TLS version manually through the client.

JavaJava

Redis Java 客户端基于 Java 版本 6 或更早版本使用 TLS 1.0。Redis Java clients use TLS 1.0 on Java version 6 or earlier. 如果在缓存中禁用了 TLS 1.0,则 Jedis、Lettuce 和 Redisson 无法连接到 Azure Cache for Redis。Jedis, Lettuce, and Redisson can't connect to Azure Cache for Redis if TLS 1.0 is disabled on the cache. 升级 Java 框架以使用新的 TLS 版本。Upgrade your Java framework to use new TLS versions.

对于 Java 7,Redis 客户端默认不使用 TLS 1.2,但可以配置为使用此版本。For Java 7, Redis clients don't use TLS 1.2 by default but can be configured for it. Jedis 允许你使用以下代码片段指定基础 TLS 设置:Jedis allows you to specify the underlying TLS settings with the following code snippet:

SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLParameters sslParameters = new SSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
sslParameters.setProtocols(new String[]{"TLSv1.2"});
 
URI uri = URI.create("rediss://host:port");
JedisShardInfo shardInfo = new JedisShardInfo(uri, sslSocketFactory, sslParameters, null);
 
shardInfo.setPassword("cachePassword");
 
Jedis jedis = new Jedis(shardInfo);

Lettuce 和 Redisson 客户端尚不支持指定 TLS 版本,因此,如果缓存仅接受 TLS 1.2 连接,这些客户端将无法工作。The Lettuce and Redisson clients don't yet support specifying the TLS version, so they'll break if the cache accepts only TLS 1.2 connections. 我们正在审查这些客户端的修补程序,因此请检查那些包是否有包含此支持的更新版本。Fixes for these clients are being reviewed, so check with those packages for an updated version with this support.

在 Java 8 中,默认情况下会使用 TLS 1.2,并且在大多数情况下都不需要更新客户端配置。In Java 8, TLS 1.2 is used by default and shouldn't require updates to your client configuration in most cases. 为了安全起见,请测试你的应用程序。To be safe, test your application.

Node.jsNode.js

Node Redis 和 IORedis 默认使用 TLS 1.2。Node Redis and IORedis use TLS 1.2 by default.

PHPPHP

PredisPredis

  • 低于 PHP 7 的版本:Predis 仅支持 TLS 1.0。Versions earlier than PHP 7: Predis supports only TLS 1.0. 这些版本不支持 TLS 1.2;必须升级才能使用 TLS 1.2。These versions don't work with TLS 1.2; you must upgrade to use TLS 1.2.

  • PHP 7.0 到 PHP 7.2.1:默认情况下,Predis 仅使用 TLS 1.0 或 TLS 1.1。PHP 7.0 to PHP 7.2.1: Predis uses only TLS 1.0 or 1.1 by default. 可以通过以下变通办法来使用 TLS 1.2。You can use the following workaround to use TLS 1.2. 在创建客户端实例时指定 TLS 1.2:Specify TLS 1.2 when you create the client instance:

    $redis=newPredis\Client([
        'scheme'=>'tls',
        'host'=>'host',
        'port'=>6380,
        'password'=>'password',
        'ssl'=>[
            'crypto_type'=>STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
        ],
    ]);
    
  • PHP 7.3 及更高版本:Predis 使用最新的 TLS 版本。PHP 7.3 and later versions: Predis uses the latest TLS version.

PhpRedisPhpRedis

PhpRedis 在任何 PHP 版本上均不支持 TLS。PhpRedis doesn't support TLS on any PHP version.

PythonPython

Redis-py 默认使用 TLS 1.2。Redis-py uses TLS 1.2 by default.

GOGO

Redigo 默认使用 TLS 1.2。Redigo uses TLS 1.2 by default.

其他信息Additional information