The problem/use-case that the feature addresses
Right now, it's impossible to start a valkey server that prefers Post-quantum cryptography (PQC) ML-DSA certificates but falls back to RSA for clients that don't support the former.
An example thereof is: using redis-cli major version 7 (does not support PQC algorithms) with valkey-server major version 8 does work with RSA certificates, but not with ML-DSA, which results in
Could not connect to Redis at <ip>:6379: SSL_connect failed: ssl/tls alert handshake failure
and
Error accepting a client connection: error:0A000076:SSL routines::no suitable signature algorithm (addr=<ip>:38508 laddr=<ip>:6379)
Description of the feature
An ability to specify additional certificate/key files in the config, similar as in httpd, which also uses OpenSSL to handle TLS connections. openssl s_server itself has -dcert and -dkey flags in addition to -cert and -key for this use case.
Alternatives you've considered
I'm not sure there is an alternative.
Additional information
Hopefully this shouldn't be too hard to implement, just changing how the program interacts with OpenSSL.
The problem/use-case that the feature addresses
Right now, it's impossible to start a valkey server that prefers Post-quantum cryptography (PQC) ML-DSA certificates but falls back to RSA for clients that don't support the former.
An example thereof is: using
redis-climajor version 7 (does not support PQC algorithms) withvalkey-servermajor version 8 does work with RSA certificates, but not with ML-DSA, which results inand
Description of the feature
An ability to specify additional certificate/key files in the config, similar as in
httpd, which also uses OpenSSL to handle TLS connections.openssl s_serveritself has-dcertand-dkeyflags in addition to-certand-keyfor this use case.Alternatives you've considered
I'm not sure there is an alternative.
Additional information
Hopefully this shouldn't be too hard to implement, just changing how the program interacts with OpenSSL.