Should a client connecting to a server via a unix-socket be encrypted?



  • Does a client connection need encryption if the only connection option is via unix socket? e.g. my.cnf

    [mysqld]
    socket = /run/mysqld/mysqld.sock
    

    I'm considering these options, but I'd prefer not to include them if I don't need to.

    [mysqld]
    ssl = TRUE
    ssl-ca = /path/to/foo.pem
    ssl-cert = /path/to/foo.pem
    ssl-key  = /path/to/foo.pem
    

    Did lots of searching for a canonical answer, but no luck.

    Using Debian 10 and MySQL-server 5.7.



  • Yes, encryption on a unix socket is an option, but it's not necessary. If someone is able to listen in on your socket connection, it means your system has already been compromised. Low-level access to the system is required to intercept data on a unix socket connection.

    Also, from the https://dev.mysql.com/doc/refman/5.7/en/connection-options.html :

    --ssl-mode=mode

    PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.

    Connections over Unix socket files are not encrypted with a mode of PREFERRED. To enforce encryption for Unix socket-file connections, use a mode of REQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2