Search code examples
memcachedamazon-elasticache

Memcached client with TLS support?

I use Memcached in AWS ElastiCache and enabled encryption-in-transit as a security requirement.

However, at client side, when trying to connect to the new cache cluster with encryption-in-transit enabled, the connection failed right away with below error.

Error: read ECONNRESET

I use client memcached-elasticache, which essentially wraps around client memcached for cluster node auto-discovery. This client is not easy to work with, but they are so far the best I found in the open source world.

However, quoting from the README, this client does not yet support TLS (Transport Layer Security), which is required after enabling encryption-in-transit in the server cluster.

As in other databases and message queues, this module uses the ASCII protocol to communicate with the server, which means that you can see what is send over the wire. For debugging this is easier for both the users and the developers however this also means that SASL auth is not supported because it demands the binary protocol.

I believe this is the reason why I got connection reset right away because network protocol does not match. There is an open issue in this open source package where people are enquiring on TLS support.

Is there any existing Memcached JS/TS client that has full TLS support?

Solution

  • We recently contributed TLS support into electrode-io memcache client. In addition to NodeJS, it also has typescript support. It is available on NPM.

    If the memcached server is configured with TLS, you can make the client connect to it via specifying the tls ConnectionOptions. For production environments, the server should be using a TLS certificate that is signed by a trusted public CA. In this case you can simply do the following to create the client:

    var memcache = require("memcache-client");
const client = new memcache.MemcacheClient({server: "{server_hostname}:11211", tls: {}});
client.set("key", "value");

    If the server requires client certificate authentication, you can do the following:

    var memcache = require("memcache-client");
var fs = require("fs");
const client = new memcache.MemcacheClient({server: "{server_hostname}:11211", tls: {
  key: fs.readFileSync("client-key.pem"),
  cert: fs.readFileSync("client-cert.pem"),
}});
client.set("key", "value");

    If you are running the server with a self-signed certificate (i.e. for local developments), you can create the client by specifying the CA certificate and disable hostname verification as follows:

    var memcache = require("memcache-client");
var fs = require("fs");
const client = new memcache.MemcacheClient({server: "localhost:11211", tls: {
  ca: fs.readFileSync("ca-cert.pem"),
  checkServerIdentity: () => {return undefined;}
}});
client.set("key", "value");

    In addition, we contributed TLS support into memcached-plus. It is available on NPM. You can make the client connect to TLS enabled memcached server via specifying the tls ConnectionOptions similar to the examples above. i.e.

    var client = new Client({hosts: ['{server_hostname}:11211'], tls: {}});
await client.set('key', 'value');