Should a client connecting to a server via a unix-socket be encrypted?
Does a client connection need encryption if the only connection option is via unix socket? e.g.
[mysqld] socket = /run/mysqld/mysqld.sock
I'm considering these options, but I'd prefer not to include them if I don't need to.
[mysqld] ssl = TRUE ssl-ca = /path/to/foo.pem ssl-cert = /path/to/foo.pem ssl-key = /path/to/foo.pem
Did lots of searching for a canonical answer, but no luck.
Using Debian 10 and MySQL-server 5.7.
Yes, encryption on a unix socket is an option, but it's not necessary. If someone is able to listen in on your socket connection, it means your system has already been compromised. Low-level access to the system is required to intercept data on a unix socket connection.
Also, from the https://dev.mysql.com/doc/refman/5.7/en/connection-options.html :
PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.
Connections over Unix socket files are not encrypted with a mode of PREFERRED. To enforce encryption for Unix socket-file connections, use a mode of REQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)