RE: Redis TLS Configuration in Sugar 25.1.x?

Rafael Fernandes — Mon, 02 Feb 2026 16:57:06 GMT

Sugar does not offer password as config for override, however we do use RedisTrait from symphony which I believe you can workaround it in passing in the URL, like:

use Symfony\Component\Cache\Adapter\RedisAdapter;

// host "my.server.com" and port "6379"
RedisAdapter::createConnection('redis://my.server.com:6379');

// host "my.server.com" and port "6379" and database index "20"
RedisAdapter::createConnection('redis://my.server.com:6379/20');

// host "localhost", auth "abcdef" and timeout 5 seconds
RedisAdapter::createConnection('redis://abcdef@localhost?timeout=5');

// socket "/var/run/redis.sock" and auth "bad-pass"
RedisAdapter::createConnection('redis://bad-pass@/var/run/redis.sock');

// host "redis1" (docker container) with alternate DSN syntax and selecting database index "3"
RedisAdapter::createConnection('redis:?host[redis1:6379]&dbindex=3');

// providing credentials with alternate DSN syntax
RedisAdapter::createConnection('redis:default:verysecurepassword@?host[redis1:6379]&dbindex=3');

// a single DSN can also define multiple servers
RedisAdapter::createConnection(
    'redis:?host[localhost]&host[localhost:6379]&host[/var/run/redis.sock:]&auth=my-password&redis_cluster=1'
);

Give it a try and let us know the results..

rafa

RE: Redis TLS Configuration in Sugar 25.1.x?

Tomasz Szykuła — Mon, 02 Feb 2026 13:47:44 GMT

Rafael i see that your code is not using password and Jeff's config has 'password' key in configuration. Does Sugar out of box support authentication to Redis used as backend cache ? I don see it in SugarCRM code but I would like to get confirmation? If i'm wrong please point me to file and line of code in SugarCRM codebase.

RE: Redis TLS Configuration in Sugar 25.1.x?

Rafael Fernandes — Fri, 09 Jan 2026 16:44:20 GMT

Hi Jeff Bickart ,

TLS is not supported out of the box. That said, there are a few alternative options available. Although we haven’t tested them ourselves, the guidance below should be helpful.

Alternative 1: Override Redis Service via after_entry_point Logic Hook
Approach: Use the after_entry_point application hook to override the Redis::class service definition in the container before cache is used.
Files to create:

custom/Extension/application/Ext/LogicHooks/RedisTlsHook.php
custom/include/RedisTlsOverride.php

Implementation:

// custom/Extension/application/Ext/LogicHooks/RedisTlsHook.php
<?php
$hook_array['after_entry_point'][] = [
    0, // Priority - run first
    'Redis TLS Override',
    'custom/include/RedisTlsOverride.php',
    'RedisTlsOverride',
    'overrideRedisService',
];

// custom/include/RedisTlsOverride.php
<?php

use Sugarcrm\Sugarcrm\DependencyInjection\Container;
use Sugarcrm\Sugarcrm\Cache\Exception as SugarCacheException;
use Psr\Container\ContainerInterface;

class RedisTlsOverride
{
    public function overrideRedisService()
    {
        $container = Container::getInstance();

        // Override the Redis service with TLS support
        $container->set(\Redis::class, function (ContainerInterface $container): \Redis {
            if (!extension_loaded('redis')) {
                throw new SugarCacheException('Redis extension is not loaded');
            }

            $client = new \Redis();
            $config = $container->get(\SugarConfig::class)->get('external_cache.redis');
            $persistentId = $container->get(\SugarConfig::class)->get('unique_key');

            $host = $config['host'] ?? '127.0.0.1';
            $port = $config['port'] ?? 6379;
            $timeout = $config['timeout'] ?? 0;
            $persistent = $config['persistent'] ?? false;
            $retryInterval = $config['retry_interval'] ?? 0;
            $readTimeout = $config['read_timeout'] ?? 0;

            // Build context array for TLS/SSL stream options
            $context = [];
            if (isset($config['stream'])) {
                $context['stream'] = $config['stream'];
            }

            try {
                if ($persistent) {
                    $client->pconnect(
                        $host,
                        $port,
                        $timeout,
                        $persistentId ?? '',
                        $retryInterval,
                        $readTimeout,
                        $context
                    );
                } else {
                    $client->connect(
                        $host,
                        $port,
                        $timeout,
                        '',
                        $retryInterval,
                        $readTimeout,
                        $context
                    );
                }
            } catch (\RedisException $e) {
                throw new SugarCacheException($e->getMessage(), 0, $e);
            }

            return $client;
        });
    }
}

Config in config_override.php:

$sugar_config['external_cache']['redis'] = [
    'host' => 'tls://redis.example.com',
    'port' => 6380,
    'timeout' => 2.5,
    'stream' => [
        'verify_peer' => true,
        'verify_peer_name' => true,
        'cafile' => '/path/to/ca-bundle.crt',
    ],
];

Pros:

Uses standard SugarCRM extension framework
No core file modifications
Survives upgrades

Cons:

after_entry_point runs after some initialization - cache may already be accessed
Container service may already be instantiated

Alternative 2: Custom Container Configuration File
Approach: Create a custom container configuration file that loads after the core container and overrides the Redis service.
Files to create:

custom/etc/container.php (custom container definitions)
custom/include/SugarContainerLoader.php (loader class)
custom/Extension/application/Ext/LogicHooks/ContainerLoader.php

Implementation:

// custom/etc/container.php
<?php

use Sugarcrm\Sugarcrm\Cache\Exception as SugarCacheException;
use Psr\Container\ContainerInterface;

return [
    \Redis::class => function (ContainerInterface $container): \Redis {
        if (!extension_loaded('redis')) {
            throw new SugarCacheException('Redis extension is not loaded');
        }

        $client = new \Redis();
        $config = $container->get(\SugarConfig::class)->get('external_cache.redis');
        $persistentId = $container->get(\SugarConfig::class)->get('unique_key');

        $host = $config['host'] ?? '127.0.0.1';
        $port = $config['port'] ?? 6379;
        $timeout = $config['timeout'] ?? 0;
        $persistent = $config['persistent'] ?? false;
        $retryInterval = $config['retry_interval'] ?? 0;
        $readTimeout = $config['read_timeout'] ?? 0;

        // Build context for TLS
        $context = [];
        if (isset($config['stream'])) {
            $context['stream'] = $config['stream'];
        }

        try {
            if ($persistent) {
                $client->pconnect(
                    $host, $port, $timeout,
                    $persistentId ?? '', $retryInterval, $readTimeout, $context
                );
            } else {
                $client->connect(
                    $host, $port, $timeout,
                    '', $retryInterval, $readTimeout, $context
                );
            }
        } catch (\RedisException $e) {
            throw new SugarCacheException($e->getMessage(), 0, $e);
        }

        return $client;
    },
];
// custom/include/SugarContainerLoader.php
<?php

class SugarContainerLoader
{
    public function loadCustomContainer()
    {
        $customContainerPath = 'custom/etc/container.php';
        if (file_exists($customContainerPath)) {
            $container = \Sugarcrm\Sugarcrm\DependencyInjection\Container::getInstance();
            $container->configureFromFile($customContainerPath);
        }
    }
}
// custom/Extension/application/Ext/LogicHooks/ContainerLoader.php
<?php
$hook_array['after_entry_point'][] = [
    0,
    'Load Custom Container',
    'custom/include/SugarContainerLoader.php',
    'SugarContainerLoader',
    'loadCustomContainer',
];

Pros:

Clean separation of custom container definitions
Uses UltraLite Container's built-in configureFromFile() method
Easy to manage multiple service overrides

Cons:

Still uses after_entry_point hook (timing issue)
Custom container file needs maintenance across upgrades