I primarily develop PHP applications using MySQL as my database. Generally, the server running the application is on the same box as the MySQL server, though not always.
I was reading in the PHP docs about SSL support http://php.net/manual/en/ref.pdo-mysql.php and I'm left with these questions:
- With the application and database server being in the same (localhost) environment, is it necessary to connect to MySQL using SSL?
- Is the benefit of this for when you're accessing information between two servers (application server & a database server)?
- What are "best-practices" for using a PDO-SSL connection?
- Is it safe to assume that using an SSL certificate for the client/server connection has nothing to do with PDO's SSL connection?
Best Answer
1) Not in most circumstances - you can(should) configure MySQL to be local only so unless someone has admin access to the box or is able to run as the MySQL user the SSL won't make a difference.
2) Absolutely, it prevents man in the middle (someone spoofing your webserver so they can query the database for instance) and sniffing data.
3)Same as with most SSL - use strong encryption (no SHA1), guard your keys, change them regularly etc.
4) Sort of, they don't need to be the same keys or anything but if your organization has a CA then you can simplify things but getting them to approve ("sign") your certificates which could make things simpler from a management point of view.