My company has no choice- we have to use ssl internally for regulatory purposes. Right now we're using an stunnel solution for having out clients connect to redis- I am super excited that I'll be able to remove this workaround in the future!
Putting the server behind TLS is a minor part of the process.
If you want any kind of HA, you'll have multiple instances of Redis, with changes replicated from the writable node to the others.
That traffic needs to be encrypted too - and redis (pre 6.0) knows nothing about TLS.
So now you need a tunnel to each other Redis node.
Oh but you also want Sentinel to make sure a failure means a new primary node is elected... and sentinel doesn't speak TLS either, and they need to both speak to each other, and the redis nodes... so that's another set of TLS tunnels you need to setup.
I setup redis on 3 nodes for a customer, if you tried to draw the stunnel setup on paper, it'd look like you're illustrating a plate of spaghetti.
How is stunnel a workaround? Honestly that would seem like an ideal solution to me - "do one thing, do it well". Stunnel can focus on having a rock solid TLS implementation and Redis can focus on being a great DB.
