Last updated: 2026-02-11

Memcached TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Memcached. Since version 1.5.13, Memcached supports TLS encryption for client connections, protecting cached data in transit.

Prerequisites

Memcached 1.5.13 or later (compiled with TLS support)
OpenSSL 1.1.0 or later
A valid TLS certificate and private key

Verify Memcached was built with TLS support:

memcached -h 2>&1 | grep -i tls

You should see -Z, --enable-ssl in the output.

RHEL 8/9: The AppStream Memcached packages may not be compiled with TLS support. If the command above produces no output, install Memcached from an alternative source (e.g., compile from source with --enable-tls, or use the Remi repository).

Enabling TLS

Start Memcached with TLS enabled using the -Z flag:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem

TLS Protocol Versions

Restrict to TLS 1.2 and above:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_min_version=tlsv1.2

Available version values: tlsv1.2, tlsv1.3.

Cipher Suites

Specify strong cipher suites for TLS 1.2:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_min_version=tlsv1.2 \
  -o ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

TLS 1.3 cipher suites are managed by OpenSSL automatically and cannot be overridden via the ssl_ciphers option.

Client Certificate Verification

Require clients to present a valid certificate (mutual TLS):

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_ca_cert=/etc/memcached/ssl/ca.pem \
  -o ssl_verify_mode=2 \
  -o ssl_min_version=tlsv1.2

Verify modes:

Mode	Description
`0`	No client certificate verification (default)
`1`	Request client certificate but do not require it
`2`	Require and verify client certificate
`3`	Require client certificate, verify, and fail if not present (same behavior as mode 2 in most OpenSSL versions)

Session Caching

Enable TLS session caching to reduce handshake overhead for reconnecting clients:

memcached -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_session_cache \
  -o ssl_min_version=tlsv1.2

Version note: The ssl_session_cache option requires Memcached 1.6.22+. On Debian 11 (1.6.9), Debian 12 (1.6.18), and Ubuntu 22.04 (1.6.14), omit this option — it will cause a startup error.

Systemd Configuration

For systems using systemd, configure TLS in the environment file or override.

RHEL/CentOS (/etc/sysconfig/memcached):

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="256"
OPTIONS="-Z -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem,ssl_key=/etc/memcached/ssl/privkey.pem,ssl_min_version=tlsv1.2,ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"

Debian/Ubuntu (/etc/memcached.conf) -- uses one option per line:

-Z
-o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem
-o ssl_key=/etc/memcached/ssl/privkey.pem
-o ssl_min_version=tlsv1.2
-o ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Client Connections

PHP (php-memcached)

$memc = new Memcached();
$memc->setOption(Memcached::OPT_USE_TLS, true);
$memc->addServer('memcached.example.com', 11211);

Python (pymemcache)

from pymemcache.client.base import Client
import ssl

ctx = ssl.create_default_context(cafile='/etc/ssl/certs/ca.pem')
ctx.minimum_version = ssl.TLSVersion.TLSv1_2

client = Client('memcached.example.com', tls_context=ctx)

OpenSSL

openssl s_client -connect memcached.example.com:11211

Complete Configuration

memcached \
  -l 0.0.0.0 \
  -p 11211 \
  -u memcached \
  -m 256 \
  -c 1024 \
  -Z \
  -o ssl_chain_cert=/etc/memcached/ssl/fullchain.pem \
  -o ssl_key=/etc/memcached/ssl/privkey.pem \
  -o ssl_ca_cert=/etc/memcached/ssl/ca.pem \
  -o ssl_min_version=tlsv1.2 \
  -o ssl_ciphers=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
  -o ssl_session_cache              # requires Memcached 1.6.22+; omit on older versions

Verification

Test the TLS connection:

openssl s_client -connect memcached.example.com:11211 -tls1_2
openssl s_client -connect memcached.example.com:11211 -tls1_3

Check the negotiated protocol and cipher:

echo | openssl s_client -connect memcached.example.com:11211 2>/dev/null | grep -E 'Protocol|Cipher'

Verify Memcached responds over TLS:

echo "stats" | openssl s_client -connect memcached.example.com:11211 -quiet 2>/dev/null