Skip to content

Add support for secondary certificates#3717

Open
pkhartsk wants to merge 4 commits into
valkey-io:unstablefrom
pkhartsk:add-dual-certs
Open

Add support for secondary certificates#3717
pkhartsk wants to merge 4 commits into
valkey-io:unstablefrom
pkhartsk:add-dual-certs

Conversation

@pkhartsk

Copy link
Copy Markdown
Contributor

Two new config options, tls-alt-cert-file and tls-alt-key-file, enable using two certificates with different algorithm types at once. E.g. one can be a PQC mldsa certificate and another can be RSA for backwards compatibility with older clients that don't support PQC yet.

Resolves #3403

@coderabbitai

coderabbitai Bot commented May 14, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds optional alternate server TLS certificate/key directives, extends the TLS context struct, loads and validates an alternate certificate/key in the server SSL context (rejecting identical signatures), updates test cert generation, and adds unit tests and config documentation for dual-certificate setups.

Changes

Dual Certificate (PQC and RSA) Support

Layer / File(s) Summary
TLS configuration and server struct
src/config.c, src/server.h
Add tls-alt-cert-file and tls-alt-key-file config directives (VOLATILE
Server init and INFO reporting
src/server.c
Initialize alternate TLS cert expiry/serial at startup and include tls_server_alt_cert_serial and tls_server_alt_cert_expires_in_seconds in INFO tls output.
TLS refresh and clear hooks
src/tls.c
Extend tlsRefreshServerCertInfo and tlsClearAllCertInfo to update/clear alternate server certificate expiry and serial fields.
createSSLContext: alt cert/key handling
src/tls.c
Capture primary cert signature, load and validate alternate certificate chain into the same SSL_CTX, reject configuration when primary and alternate signatures match, optionally load alt_key_file, and free psig_data on both success and error paths; require alt cert/key be provided together.
TLS metadata and reload detection
src/tls.c
Track alternate-certificate fingerprint in tlsMaterialsMetadata, capture it during captureMetadata, and include it in metadataChanged comparisons to trigger reload when alt cert changes.
Test certificate generation script updates
utils/gen-test-certs.sh
Document new TLS test variants and add commands to generate passphrase-protected RSA and PQC ML-DSA test certs/keys; quote key/cert path variables in generate_cert().
Unit tests: dual cert behavior and auto-reload
tests/unit/tls.tcl
Add tests covering basic dual cert operation, mismatched/identical certificate rejection, same-type rejection cases, passphrase-protected key swapping, and extend auto-reload tests to exercise alternate-slot materials and serial reporting; include cleanup.
Configuration examples and comments
valkey.conf
Normalize TLS comment spacing and add commented documentation for tls-alt-cert-file / tls-alt-key-file with usage notes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title "Add support for secondary certificates" clearly and concisely describes the main change: introducing dual-certificate support with tls-alt-cert-file and tls-alt-key-file options.
Description check ✅ Passed The description appropriately explains the feature (dual certificates with different algorithms) and references the resolved issue #3403, clearly relating to the changeset.
Linked Issues check ✅ Passed The PR implementation meets all requirements from #3403: adds tls-alt-cert-file and tls-alt-key-file configuration options, supports dual certificates with different algorithms (PQC ML-DSA and RSA), maintains backward compatibility, and enables clients to fall back to RSA.
Out of Scope Changes check ✅ Passed All changes align with the stated objective: configuration directives, TLS context modifications, certificate loading/validation logic, metadata tracking, test coverage, and documentation updates directly support dual-certificate functionality.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@valkey.conf`:
- Around line 218-228: The new config directives tls-alt-cert-file and
tls-alt-key-file in valkey.conf violate the "no new config options" policy;
either remove these two directives or rework them into a policy-compliant design
by tying them to an explicit CPU/memory trade-off (e.g., a single existing
toggle or heuristic that selects alternate certs based on resource constraints)
and document that behavior in the same file; update any parsing/loader logic
that referenced tls-alt-cert-file / tls-alt-key-file to use the existing option
or the new heuristic-controlled behavior, and add a short comment in valkey.conf
describing why the alternate cert selection is present and which trade-off or
feature-flag controls it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 361d1ac7-0213-4455-ab88-7c49130a7f0b

📥 Commits

Reviewing files that changed from the base of the PR and between fdf13ca and 990685d.

📒 Files selected for processing (6)
  • src/config.c
  • src/server.h
  • src/tls.c
  • tests/unit/tls.tcl
  • utils/gen-test-certs.sh
  • valkey.conf
👮 Files not reviewed due to content moderation or server errors (4)
  • src/config.c
  • utils/gen-test-certs.sh
  • src/tls.c
  • tests/unit/tls.tcl

Comment thread valkey.conf
@yang-z-o yang-z-o added the run-extra-tests Run extra tests on this PR (Runs all tests from daily except valgrind and RESP) label May 22, 2026
Comment thread src/tls.c Outdated
Comment thread src/tls.c Outdated
Comment thread src/server.h Outdated
Comment thread src/server.h Outdated
Comment thread utils/gen-test-certs.sh Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/tls.c`:
- Around line 556-557: The reload metadata and change detection currently only
track cert_file/client_cert_file/ca_cert_file and key_file/client_key_file but
not the alternate TLS materials; update the metadata fingerprinting and stats
logic used by tlsReconfigureIfNeeded() to also include alt_cert_file and
alt_key_file (the same way cert_file and key_file are handled) so that
createSSLContext()’s use of alt_cert_file/alt_key_file is respected during
background reloads, and mirror those same fields in metadataChanged() so changes
to the alternate certificate or key will trigger reconfigure.

In `@tests/unit/tls.tcl`:
- Around line 118-229: Each dual-cert test (e.g., test blocks "TLS: basic dual
certificates support", "TLS: alt cert and key files must be provided together",
"TLS: the same certificate twice not allowed", "TLS: Two certificates of the
same type not allowed", "TLS: Dual certificates with passphrases") should wrap
the configuration changes (calls to r CONFIG SET that set
tls-cert-file/tls-key-file/tls-alt-cert-file/tls-alt-key-file and related
validation calls like valkey_client/exec) in a try/finally (or equivalent) so
the original cert/key values
(orig_server_crt/orig_server_key/orig_server_alt_crt/orig_server_alt_key) are
always restored in the finally block; locate the r CONFIG SET calls and the
existing cleanup r CONFIG SET lines and move the cleanup into the finally to
guarantee restoration even if assertions (assert_equal/assert_match) or catches
fail.
- Around line 124-137: The openssl call uses the leaf cert ($valkey_crt) instead
of the CA cert (use the earlier ca_file) and ignores the catch return code, so
change the exec invocation in the s_client test to pass -CAfile $ca_file (not
$valkey_crt) and capture the catch return value (e.g. catch {exec ...} out rc);
then assert rc is 0 (test succeeded) before asserting the expected output
contains "Peer signature type: rsa_pss_rsae_sha256". Update the exec call and
assertions around the openssl s_client invocation in the TLS test (the block
that builds $valkey_crt/$valkey_pqc_crt and runs exec /usr/bin/openssl s_client)
accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 50fe5814-aa26-4b2f-aa96-9e6fdb43eaca

📥 Commits

Reviewing files that changed from the base of the PR and between 52dec7d and 539c77f.

📒 Files selected for processing (6)
  • src/config.c
  • src/server.h
  • src/tls.c
  • tests/unit/tls.tcl
  • utils/gen-test-certs.sh
  • valkey.conf
✅ Files skipped from review due to trivial changes (1)
  • valkey.conf

Comment thread src/tls.c
Comment thread tests/unit/tls.tcl
Comment thread tests/unit/tls.tcl Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (2)
src/tls.c (1)

827-843: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Track tls-alt-key-file in reload metadata too.

The alternate cert fingerprint is now tracked, but the alternate key still is not. Rotating only tls-alt-key-file at the same path leaves metadataChanged() false, so background reload keeps serving the stale secondary key until a manual reconfigure or restart.

Suggested fix
 typedef struct {
     unsigned char cert_fingerprint[EVP_MAX_MD_SIZE];
     unsigned int cert_fingerprint_len;
     unsigned char alt_cert_fingerprint[EVP_MAX_MD_SIZE];
     unsigned int alt_cert_fingerprint_len;
     unsigned char client_cert_fingerprint[EVP_MAX_MD_SIZE];
     unsigned int client_cert_fingerprint_len;
     unsigned char ca_cert_fingerprint[EVP_MAX_MD_SIZE];
     unsigned int ca_cert_fingerprint_len;
     ino_t ca_cert_dir_inode;
     time_t ca_cert_dir_mtime;
     ino_t key_file_inode;
     time_t key_file_mtime;
+    ino_t alt_key_file_inode;
+    time_t alt_key_file_mtime;
     ino_t client_key_file_inode;
     time_t client_key_file_mtime;
 } tlsMaterialsMetadata;
     if (ctx_config->key_file && stat(ctx_config->key_file, &st) == 0) {
         metadata->key_file_inode = st.st_ino;
         metadata->key_file_mtime = st.st_mtime;
     }
+    if (ctx_config->alt_key_file && stat(ctx_config->alt_key_file, &st) == 0) {
+        metadata->alt_key_file_inode = st.st_ino;
+        metadata->alt_key_file_mtime = st.st_mtime;
+    }
     if (ctx_config->client_key_file && stat(ctx_config->client_key_file, &st) == 0) {
         metadata->client_key_file_inode = st.st_ino;
         metadata->client_key_file_mtime = st.st_mtime;
     }
     if (old->key_file_inode != new->key_file_inode || old->key_file_mtime != new->key_file_mtime) {
         return 1;
     }
+    if (old->alt_key_file_inode != new->alt_key_file_inode || old->alt_key_file_mtime != new->alt_key_file_mtime) {
+        return 1;
+    }
     if (old->client_key_file_inode != new->client_key_file_inode || old->client_key_file_mtime != new->client_key_file_mtime) {
         return 1;
     }

Also applies to: 894-908, 933-942

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/tls.c` around lines 827 - 843, The tlsMaterialsMetadata struct is missing
tracking for the alternate key file so rotating tls-alt-key-file doesn't trigger
metadataChanged(); add fields analogous to key_file_inode and key_file_mtime for
the alternate key (e.g., alt_key_file_inode of type ino_t and alt_key_file_mtime
of type time_t) to tlsMaterialsMetadata and update all places that initialize,
copy, and compare metadata (functions/uses around tlsMaterialsMetadata,
metadataChanged(), and related load/compare code that currently handle
alt_cert_fingerprint and key_file_*/client_key_file_*/ca_cert_dir_*) to populate
and check the new alt_key fields so changes to tls-alt-key-file cause
metadataChanged() to return true.
tests/unit/tls.tcl (1)

137-138: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the OpenSSL validation: use CA cert, check exit code, and avoid hard-coded path.

Three issues with the openssl s_client invocation:

  1. Line 137 uses -CAfile $valkey_crt (the server leaf certificate) instead of the CA certificate, which will fail verification.
  2. The catch command does not capture the return code, so the test cannot assert that the connection succeeded.
  3. The hard-coded path /usr/bin/openssl may not exist on all systems.
🔧 Proposed fix
-            catch {exec /usr/bin/openssl s_client -connect localhost:$port -CAfile $valkey_crt -sigalgs "rsa_pss_pss_sha256:rsa_pss_rsae_sha256" < /dev/null} out
-            assert_match {*Peer signature type: rsa_pss_rsae_sha256*} $out
+            set rc [catch {
+                exec openssl s_client -connect localhost:$port -CAfile $ca_file \
+                    -sigalgs "rsa_pss_pss_sha256:rsa_pss_rsae_sha256" < /dev/null
+            } out]
+            assert_equal 0 $rc
+            assert_match {*Peer signature type: rsa_pss_rsae_sha256*} $out
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/tls.tcl` around lines 137 - 138, Replace the hard-coded openssl
invocation and incorrect cert usage by calling "openssl" from PATH (not
"/usr/bin/openssl"), pass the CA certificate variable instead of the server leaf
(replace -CAfile $valkey_crt with the appropriate CA cert variable, e.g. -CAfile
$valkey_ca or $ca_crt), and capture the catch result code so the test asserts
the connection succeeded before checking output (use set rc [catch {exec openssl
s_client -connect localhost:$port -CAfile $CA_VAR -sigalgs
"rsa_pss_pss_sha256:rsa_pss_rsae_sha256" < /dev/null} out] and assert_equal 0
$rc, then assert_match the Peer signature text in $out); update references to
$valkey_crt, the exec call, and the assert_match line accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/tls.c`:
- Around line 401-413: In tlsRefreshServerCertInfo move the null/disabled TLS
guard so you check (!valkey_tls_ctx || !(server.tls_port ||
server.tls_replication || server.tls_cluster)) before calling
SSL_CTX_set_current_cert; specifically, ensure tlsRefreshServerCertInfo tests
valkey_tls_ctx early and returns or calls tlsClearCertInfo for both cert slots
if the context is NULL or TLS is disabled, then only call
SSL_CTX_set_current_cert and tlsUpdateCertInfoFromCtx when valkey_tls_ctx is
valid; update logic around SSL_CTX_set_current_cert, tlsUpdateCertInfoFromCtx,
tlsClearCertInfo and the server.tls_server_* / server.tls_server_alt_* fields
accordingly.

In `@tests/unit/tls.tcl`:
- Line 158: The test assertion using assert_match is using a double-asterisk
pattern (**related to argument 'tls-alt-key-file'**) which is a typo; update the
pattern to use a single asterisk (*related to argument 'tls-alt-key-file'*) so
the glob-style match behaves as intended when matching $e in the tls.tcl test
(look for the assert_match call referencing $e and the 'tls-alt-key-file'
message).
- Around line 463-464: The restore step is copying from valkey_alt_crt and
valkey_alt_key which were redefined to the passphrase-protected versions; before
you redefine those two variables, save the original paths into new names (e.g.,
orig_valkey_alt_crt and orig_valkey_alt_key) and then change the restoration
file copy calls (the ones using valkey_alt_crt/valkey_alt_key around lines
463-464) to use the saved originals (orig_valkey_alt_crt and
orig_valkey_alt_key) so the temporary files are restored from the original
certificate/key paths.

---

Duplicate comments:
In `@src/tls.c`:
- Around line 827-843: The tlsMaterialsMetadata struct is missing tracking for
the alternate key file so rotating tls-alt-key-file doesn't trigger
metadataChanged(); add fields analogous to key_file_inode and key_file_mtime for
the alternate key (e.g., alt_key_file_inode of type ino_t and alt_key_file_mtime
of type time_t) to tlsMaterialsMetadata and update all places that initialize,
copy, and compare metadata (functions/uses around tlsMaterialsMetadata,
metadataChanged(), and related load/compare code that currently handle
alt_cert_fingerprint and key_file_*/client_key_file_*/ca_cert_dir_*) to populate
and check the new alt_key fields so changes to tls-alt-key-file cause
metadataChanged() to return true.

In `@tests/unit/tls.tcl`:
- Around line 137-138: Replace the hard-coded openssl invocation and incorrect
cert usage by calling "openssl" from PATH (not "/usr/bin/openssl"), pass the CA
certificate variable instead of the server leaf (replace -CAfile $valkey_crt
with the appropriate CA cert variable, e.g. -CAfile $valkey_ca or $ca_crt), and
capture the catch result code so the test asserts the connection succeeded
before checking output (use set rc [catch {exec openssl s_client -connect
localhost:$port -CAfile $CA_VAR -sigalgs
"rsa_pss_pss_sha256:rsa_pss_rsae_sha256" < /dev/null} out] and assert_equal 0
$rc, then assert_match the Peer signature text in $out); update references to
$valkey_crt, the exec call, and the assert_match line accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8bd052c4-896c-491a-b3d1-f7fa79c805cb

📥 Commits

Reviewing files that changed from the base of the PR and between 539c77f and 7d4a07e.

📒 Files selected for processing (4)
  • src/server.c
  • src/server.h
  • src/tls.c
  • tests/unit/tls.tcl

Comment thread src/tls.c Outdated
Comment thread tests/unit/tls.tcl Outdated
Comment thread tests/unit/tls.tcl

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/unit/tls.tcl`:
- Around line 390-391: The test sets tls-key-file-pass via a CONFIG SET call
(tls-key-file-pass 1234) but the cleanup only restores certificate/key path
settings; update the cleanup CONFIG SET block that restores
temp_crt/temp_key/temp_alt_crt/temp_alt_key to also reset tls-key-file-pass back
to its original/default value (e.g., empty or the prior value) so the test does
not leak config across tests; locate the CONFIG SET usage in this file and add
tls-key-file-pass to the restore call that resets cert/key paths.
- Line 137: Replace the hard-coded OpenSSL binary path in the test command so
the test uses the openssl found on PATH; specifically update the exec invocation
that currently starts with "/usr/bin/openssl s_client -connect localhost:$port
-CAfile $valkey_crt -sigalgs ..." to call "openssl s_client ..." (i.e., remove
the absolute "/usr/bin" prefix) so the runtime PATH lookup is used and the test
becomes portable across environments.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e9a0b082-a54e-49f5-bdc6-0cd871b66ed2

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4a07e and 78c0115.

📒 Files selected for processing (4)
  • src/server.c
  • src/server.h
  • src/tls.c
  • tests/unit/tls.tcl

Comment thread tests/unit/tls.tcl Outdated
Comment thread tests/unit/tls.tcl Outdated
@pkhartsk pkhartsk force-pushed the add-dual-certs branch 4 times, most recently from dc0bac0 to f46ad5a Compare May 27, 2026 16:29
@pkhartsk

pkhartsk commented May 28, 2026

Copy link
Copy Markdown
Contributor Author

(Hmm, seems that CI run failed cause it ran the previous version of gen-test-certs.sh which only generates rsa ones so I had to change it; locally the tests pass for me, including w/ valgrind)

@pkhartsk

Copy link
Copy Markdown
Contributor Author

Could I ask someone to approve the CI run? It's been hanging there since friday

@yang-z-o

Copy link
Copy Markdown
Contributor

Hey @ranshid @lucasyonge @PingXie, could someone please approve the CI runs and take a look at this PR? I think it's in good shape overall, though it may fail the tests in some environments since it requires OpenSSL 3.x.

@codecov

codecov Bot commented Jun 10, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 71.42857% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.80%. Comparing base (689906a) to head (a622a27).
⚠️ Report is 23 commits behind head on unstable.

Files with missing lines Patch % Lines
src/server.c 66.66% 2 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3717      +/-   ##
============================================
+ Coverage     76.73%   76.80%   +0.07%     
============================================
  Files           162      162              
  Lines         81029    81036       +7     
============================================
+ Hits          62175    62238      +63     
+ Misses        18854    18798      -56     
Files with missing lines Coverage Δ
src/config.c 79.24% <ø> (+0.31%) ⬆️
src/server.h 100.00% <ø> (ø)
src/tls.c 88.88% <100.00%> (+71.24%) ⬆️
src/server.c 89.46% <66.66%> (-0.07%) ⬇️

... and 20 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pkhartsk

Copy link
Copy Markdown
Contributor Author

it may fail the tests in some environments since it requires OpenSSL 3.x.

Ok I think I fixed it for compatibility w/ OpenSSL 1.1.1, it now builds on RHEL8 for me and utils/gen-test-certs.sh runs, and tests pass there too. I have PQC-specific tests in fedora already, so I don't necessarily need them here...

@pkhartsk

Copy link
Copy Markdown
Contributor Author

Bump, can someone approve the CI run?

@pkhartsk

Copy link
Copy Markdown
Contributor Author

test-fedorarawhide-tls-module fails due to OpenSSL being updated to 4.0 in rawhide, same issue as #4012 , for which I've submitted a patch in #4016 . The other two failing tests don't seem to have much to do with the changes here (?)

pkhartsk added 4 commits June 29, 2026 12:40
Two new config options, tls-alt-cert-file and tls-alt-key-file,
enable using two certificates with different algorithm types at once.
E.g. one can be a PQC mldsa certificate and another can be RSA for
backwards compatibility with older clients that don't support PQC yet.

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
Also add the alternate certificate info to `tls info`
This makes auto-reload work and its tests pass

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
… passphrases

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
This way the `gen-test-certs.sh` script is
compatible with older versions of openssl < 3.5

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
@pkhartsk

Copy link
Copy Markdown
Contributor Author

All the tests seem to pass now

@pkhartsk

Copy link
Copy Markdown
Contributor Author

@zuiderkwast @PingXie @madolson @ranshid Can I ask for a review please? I'd like this to be merged upstream before the end of summer if possible :)

@zuiderkwast zuiderkwast moved this from Todo to Needs Review in Valkey 10 Jun 30, 2026

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

It's a very strait-forward PR.

There's a spellcheck issue. We need to ignore the word or the whole shell script in the spellchecker's config file.

Comment thread src/tls.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

run-extra-tests Run extra tests on this PR (Runs all tests from daily except valgrind and RESP)

Projects

Status: Needs Review

Development

Successfully merging this pull request may close these issues.

[NEW] Support dual certificates (PQC and RSA)

3 participants