SSL Connections

lettuce supports SSL connections since version 3.1 on Redis Standalone connections and since version 4.2 on Redis Cluster. Redis has no native SSL support, SSL is implemented usually by using stunnel.

An example stunnel configuration can look like:

Example 1. stunnel.conf
foreground = no

accept =
connect =

Next step is connecting lettuce over SSL to Redis.

Connecting to Redis using RedisURI

RedisURI redisUri = RedisURI.Builder.redis("localhost")

RedisClient client = RedisClient.create(redisUri);

Connecting to Redis using String RedisURI

RedisURI redisUri = RedisURI.create("rediss://authentication@localhost/2");
RedisClient client = RedisClient.create(redisUri);

Connecting to Redis Cluster using RedisURI

RedisURI redisUri = RedisURI.Builder.redis("localhost")

RedisClusterClient client = RedisClusterClient.create(redisUri);

Connecting to Redis using String RedisURI

RedisURI redisUri = RedisURI.create("rediss://authentication@localhost");
RedisClusterClient client = RedisClusterClient.create(redisUri);


lettuce supports SSL only on Redis Standalone and Redis Cluster connections. Master resolution using Redis Sentinel or Redis Master/Slave are not supported since both strategies provide Redis addresses to the native port. Redis Sentinel and Redis Master/Slave cannot provide the SSL ports.

Connection Procedure and Reconnect

When connecting using SSL, lettuce performs an SSL handshake before you can use the connection. Plain text connections do not perform a handshake. Errors during the handshake throw RedisConnectionExceptions.

Reconnection behavior is also different to plain text connections. If an SSL handshake fails on reconnect (because of peer/certification verification or peer does not talk SSL) reconnection will be disabled for the connection. You will also find an error log entry within your logs.

Certificate Chains/Root Certificate/Self-Signed Certificates

lettuce uses Java defaults for the trust store that is usually cacerts in your jre/lib/security directory and comes with customizable SSL options via Client options. If you need to add you own root certificate, so you can configure SslOptions, import it either to cacerts or you provide an own trust store and set the necessary system properties:

Example 2. Configuring SslOptions via Client options
SslOptions sslOptions = SslOptions.builder()
        .truststore(new File("yourtruststore.jks"), "changeit")

ClientOptions clientOptions = ClientOptions.builder().sslOptions(sslOptions).build();
Example 3. Configuring a custom trust store via System Properties
System.setProperty("", "yourtruststore.jks");
System.setProperty("", "changeit");

Host/Peer Verification

By default, lettuce verifies the certificate against the validity and the common name (Name validation not supported on Java 1.6, only available on Java 1.7 and higher) of the Redis host you are connecting to. This behavior can be turned off:

RedisURI redisUri = ...


RedisURI redisUri = RedisURI.Builder.redis(host(), sslPort())


If you need to issue a StartTLS before you can use SSL, set the startTLS property of RedisURI to true. StartTLS is disabled by default.

RedisURI redisUri = ...


RedisURI redisUri = RedisURI.Builder.redis(host(), sslPort())
