ISSUE: WHMCS does not support remote database encryption w/ SSL
IMPACT: Client and WHMCS data is transferred between the web server and database in clear text. This affects near everyone. If you are on a shared host your data is transported in the clear and can be seen by others, if your data base is remote from your web server, even in the same datacenter, your data is transported in the clear and can be also be seen.
RESOLUTION: Implement SSL support for WHMCS database connections. MySQL and MariaDB both have SSL support for remote connections natively. Newer versions of php-pdo also appear (please help verify) to have support for ssl on remote connections. Php mysqli also has SSL support already built in.
COMMENT: I'd love to see whmcs support ssl on the backend data side as they already do on the front end web side. I further would propose that we add this check into whmcs health checks to make sure everyone is aware of the exposure they currently have like they do for web ssl.
Current ugly work around is setting up a tunnel from your web server to your database server via a SSH tunnel or VPN.
3 Comments
Login to post a comment.
This is a classic example of what is a product defect and shouldn't be needing a feature request submission
Why is this under consideration after a year - it is either accept and move forward or decline
This is also a very easy fix and simply requires 1 or 2 options to be passed to the db connection string:
$opts => array(
PDO::MYSQL_ATTR_SSL_CA => '/path/to/ssl_key.pem',
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
)
The first being the key to your SSL key that MySQL is expecting and the second only if your cert is self-signed rathern than issued from a legit CA.