How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

Enable SSL Encryption On Remote MySQL Databases

  • Charlie Reddington shared this idea 3 years ago
  • Core System

ISSUE: WHMCS does not support remote database encryption w/ SSL

IMPACT: Client and WHMCS data is transferred between the web server and database in clear text. This affects near everyone. If you are on a shared host your data is transported in the clear and can be seen by others, if your data base is remote from your web server, even in the same datacenter, your data is transported in the clear and can be also be seen.

RESOLUTION: Implement SSL support for WHMCS database connections. MySQL and MariaDB both have SSL support for remote connections natively. Newer versions of php-pdo also appear (please help verify) to have support for ssl on remote connections. Php mysqli also has SSL support already built in.

COMMENT: I'd love to see whmcs support ssl on the backend data side as they already do on the front end web side. I further would propose that we add this check into whmcs health checks to make sure everyone is aware of the exposure they currently have like they do for web ssl.

Current ugly work around is setting up a tunnel from your web server to your database server via a SSH tunnel or VPN.


Login to post a comment.

You can use ProxySQL and configure it to use SSL with the connection with the remote DB.
This shouldn't even be a topic of discussion
This is a classic example of what is a product defect and shouldn't be needing a feature request submission

Why is this under consideration after a year - it is either accept and move forward or decline
This is very important for anyone running their database on a managed instance or simply on another VM from their website.

This is also a very easy fix and simply requires 1 or 2 options to be passed to the db connection string:

$opts => array(
PDO::MYSQL_ATTR_SSL_CA => '/path/to/ssl_key.pem',

The first being the key to your SSL key that MySQL is expecting and the second only if your cert is self-signed rathern than issued from a legit CA.