Using amazon RDS with WordPress over SSL

Question

I'm migrating our WordPress database to RDS which is also being used by other services in our infrastructure. But I couldn't find any configuration option for wp-config.php where I could specify that SSL to be used while connecting to the server. This would also need a reference to the certificate authority file provided by Amazon. The app server on which WordPress is currently running, is outside AWS cluster.

The answers I could find were fairly old (I'm using WordPress 4.2 here) and don't provide much guidance.

How can I configure WordPress to use Amazon RDS over an SSL connection (specifying the public key)?

Answer 1

Had the same question. Thankfully some other folks had proposed a reasonable solution here: https://core.trac.wordpress.org/ticket/28625. End-to-end, here's what I did to get SSL working:

1. Add the following to the wordpress wp-includes/wp-db.php file. (except the last 2 lines which are just for insertion point reference)

//ADDED per https://core.trac.wordpress.org/ticket/28625
// call set_ssl if mysql client flag set and settings available
if ( $client_flags & MYSQL_CLIENT_SSL ) {
    $pack = array( $this->dbh );
    $call_set = false;
    foreach( array( 'MYSQL_SSL_KEY', 'MYSQL_SSL_CERT', 'MYSQL_SSL_CA',
        'MYSQL_SSL_CAPATH', 'MYSQL_SSL_CIPHER' ) as $opt_key ) {
        $pack[] = ( defined( $opt_key ) ) ? constant( $opt_key ) : null;
        $call_set |= defined( $opt_key );
    }
    /* Now if anything was packed - unpack into the function.
    * Note this doesn't check if paths exist, as per the PHP doc
    * at http://www.php.net/manual/en/mysqli.ssl-set.php: "This
    * function always returns TRUE value. If SSL setup is incorrect
    * mysqli_real_connect() will return an error ..."
    */
    if ( $call_set ) { // SSL added here!
        call_user_func_array( 'mysqli_ssl_set', $pack );
    }
}//END ADD - below is the point above which to insert this

if ( WP_DEBUG ) {
    mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );

2. Customize your wordpress wp-config.php file.

Add & customize the following lines in your wp-config.php file. You can test these from development/staging as well as production if you have multiple environments.

define('DB_HOST', 'rds-yourserver-abcdefghi9j.us-west-1.rds.amazonaws.com');
define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);//This activates SSL mode
define('MYSQL_SSL_CA', '/file/path/to/your/aws/rds-combined-ca-bundle.pem');

Note that there are 5 available MYSQL_SSL* settings you could use in your config, per code in #1 above. My RDS connection works via SSL with just the _CA option.

3. Sanity test that your connection is encrypted.

Add a quick test file to show whether the current Wordpress connection is using SSL or not. Create a sample file like this one called test.php, and put in your wordpress root or somewhere web accessible. Don't forget to remove this file when done testing.

<?php
require( dirname( __FILE__ ) . '/wp-blog-header.php' ); //EDIT THIS PATH SO IT IS CORRECT FOR YOUR test.php file relative to the wp-blog-header.php file
global $wpdb;
$row = $wpdb->get_row( "SHOW STATUS LIKE 'Ssl_cipher'" );
var_dump($row);

/*
If you are connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "AES256-SHA" }

If you are NOT connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "" }

*/
?>

4. Deploy and test your connection

Deploy your changes & test.php file to your wordpress installation, and restart your web server as needed. I'm using apache, so I run

sudo apachectl restart