Last updated: 2026-05-15

Memcached TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Memcached. Since version 1.5.13, Memcached supports TLS encryption for client connections, protecting cached data in transit.

Prerequisites

  • Memcached 1.5.13 or later (compiled with TLS support)
  • OpenSSL 1.1.0 or later
  • A valid TLS certificate and private key

Verify Memcached was built with TLS support:

memcached -h 2>&1 | grep -i tls

You should see -Z, --enable-ssl in the output.

RHEL 8/9: The AppStream Memcached packages may not be compiled with TLS support. If the command above produces no output, install Memcached from an alternative source (e.g., compile from source with --enable-tls, or use the Remi repository).

Enabling TLS

Start Memcached with TLS enabled using the -Z flag:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem

TLS Protocol Versions

Restrict to TLS 1.2 and above:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_min_version=tlsv1.2

Available version values: tlsv1.2, tlsv1.3.

Cipher Suites

Specify strong cipher suites for TLS 1.2:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_min_version=tlsv1.2 \
  -o ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

TLS 1.3 cipher suites are managed by OpenSSL automatically and cannot be overridden via the ssl_ciphers option.

Client Certificate Verification

Require clients to present a valid certificate (mutual TLS):

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_ca_cert=/etc/memcached/ssl/ca.pem \
  -o ssl_verify_mode=2 \
  -o ssl_min_version=tlsv1.2

Verify modes:

Mode Description
0 No client certificate verification (default)
1 Request client certificate but do not require it
2 Require and verify client certificate
3 Require client certificate, verify, and fail if not present (same behavior as mode 2 in most OpenSSL versions)

See RFC 8446 §4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

Session Caching

Enable TLS session caching to reduce handshake overhead for reconnecting clients:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_session_cache \
  -o ssl_min_version=tlsv1.2

Version note: The ssl_session_cache option requires Memcached 1.6.22+. On Debian 11 (1.6.9), Debian 12 (1.6.18), and Ubuntu 22.04 (1.6.14), omit this option — it will cause a startup error.

Systemd Configuration

For systems using systemd, configure TLS in the environment file or override.

RHEL/CentOS (/etc/sysconfig/memcached):

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="256"
OPTIONS="-Z -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem,ssl_key=/etc/memcached/ssl/privkey.pem,ssl_min_version=tlsv1.2,ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"

Debian/Ubuntu (/etc/memcached.conf) -- uses one option per line:

-Z
-o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem
-o ssl_key=/etc/memcached/ssl/privkey.pem
-o ssl_min_version=tlsv1.2
-o ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Client Connections

PHP (php-memcached)

$memc = new Memcached();
$memc->setOption(Memcached::OPT_USE_TLS, true);
$memc->addServer('memcached.example.com', 11211);

Python (pymemcache)

from pymemcache.client.base import Client
import ssl

ctx = ssl.create_default_context(cafile='/etc/ssl/certs/ca.pem')
ctx.minimum_version = ssl.TLSVersion.TLSv1_2

client = Client('memcached.example.com', tls_context=ctx)

OpenSSL

openssl s_client -connect memcached.example.com:11211

Complete Configuration

memcached \
  -l 0.0.0.0 \
  -p 11211 \
  -u memcached \
  -m 256 \
  -c 1024 \
  -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_ca_cert=/etc/memcached/ssl/ca.pem \
  -o ssl_min_version=tlsv1.2 \
  -o ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
  -o ssl_session_cache              # requires Memcached 1.6.22+; omit on older versions

Security Notes

The cipher suite and protocol configuration in this guide addresses the following known TLS vulnerabilities. Memcached TLS support was introduced in Memcached 1.5.13 (2019), and the system OpenSSL version governs the available fixes:

  • POODLE (CVE-2014-3566, 2014): SSL 3.0 is excluded; ssl_min_version=tlsv1.2 disables older protocol versions. Fixed in OpenSSL 1.0.1j / 1.0.2 (October 2014).
  • BEAST (CVE-2011-3389, 2011): Mitigated by requiring TLS 1.2 as the minimum; AEAD-only ciphers eliminate the CBC padding oracle.
  • CRIME (CVE-2012-4929, 2012): TLS compression is off by default in OpenSSL 1.1.0+; do not enable it.
  • Lucky13 (2013): AEAD-only cipher list eliminates CBC padding timing side-channels entirely.
  • FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers are excluded from the cipher string. Removed from OpenSSL 1.1.0 (August 2016).
  • LOGJAM (CVE-2015-4000, 2015): Short-key DHE is excluded; only ECDHE key exchange is recommended.
  • Sweet32 (CVE-2016-2183, 2016): 3DES is excluded from the cipher string. Disabled by default in OpenSSL 3.0 (September 2021).
  • ROBOT (CVE-2017-13099, 2017): Static RSA key exchange is excluded; only ECDHE is recommended.
  • Downgrade attacks: TLS_FALLBACK_SCSV prevents protocol version rollback.

The following are not addressable through TLS configuration alone:

  • Heartbleed (CVE-2014-0160, 2014): A memory disclosure bug in OpenSSL 1.0.1 through 1.0.1f. Fixed in OpenSSL 1.0.1g (April 7, 2014). Memcached TLS support was added after this fix; standard distro packages are not affected. Addressed by patching OpenSSL, not by TLS configuration.
  • BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the Memcached protocol does not involve HTTP.
  • DROWN (CVE-2016-0800, 2016): Requires SSLv2 to be enabled on any server sharing the same private key. Ensure SSLv2 is disabled on all services that use the same certificate and key pair.

Verification

Test the TLS connection:

openssl s_client -connect memcached.example.com:11211 -tls1_2
openssl s_client -connect memcached.example.com:11211 -tls1_3

Check the negotiated protocol and cipher:

echo | openssl s_client -connect memcached.example.com:11211 2>/dev/null | grep -E 'Protocol|Cipher'

Verify Memcached responds over TLS:

echo "stats" | openssl s_client -connect memcached.example.com:11211 -quiet 2>/dev/null

Related Guides

Redis

In-memory data store and cache.

MongoDB

Document-oriented NoSQL database.

MariaDB

Community-developed MySQL fork.

View all Databases guides →

Configured TLS? Now Monitor It.

Generator Labs alerts you before certificates expire, get revoked, or fail chain validation — across HTTPS, SMTPS, IMAPS, LDAPS, and more.

Certificate Monitoring →