Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Enable SSL Encryption On Remote MySQL Databases

Charlie Reddington shared this idea 10 months ago
Under Consideration

ISSUE: WHMCS does not support remote database encryption w/ SSL

IMPACT: Client and WHMCS data is transferred between the web server and database in clear text. This affects near everyone. If you are on a shared host your data is transported in the clear and can be seen by others, if your data base is remote from your web server, even in the same datacenter, your data is transported in the clear and can be also be seen.

RESOLUTION: Implement SSL support for WHMCS database connections. MySQL and MariaDB both have SSL support for remote connections natively. Newer versions of php-pdo also appear (please help verify) to have support for ssl on remote connections. Php mysqli also has SSL support already built in.

COMMENT: I'd love to see whmcs support ssl on the backend data side as they already do on the front end web side. I further would propose that we add this check into whmcs health checks to make sure everyone is aware of the exposure they currently have like they do for web ssl.

Current ugly work around is setting up a tunnel from your web server to your database server via a SSH tunnel or VPN.

Comments (2)

photo
1

This is a remarkably easy fix and simply requires passing 1 or 2 options to the database connection string:

$opts => array(

PDO::MYSQL_ATTR_SSL_CA => '/path/to/ssl_key.pem',

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,

)

This assumes your key is self-signed and you don't want PDO to try to validate the key. If you have a 'real' cert you can leave off the second option.

In today's world where you should take every security precaution available I can't imagine why this would not be added as an option to WHMCS, especially considering how easy of a fix it is.

The guys at Chatstack added SSL support for me overnight.

photo
1

This is very important for anyone running their database on a managed instance or simply on another VM from their website.

This is also a very easy fix and simply requires 1 or 2 options to be passed to the db connection string:

$opts => array(

PDO::MYSQL_ATTR_SSL_CA => '/path/to/ssl_key.pem',

PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,

)

The first being the key to your SSL key that MySQL is expecting and the second only if your cert is self-signed rathern than issued from a legit CA.