Since version v1.5.13, memcached supports TLS!
Backstory: Our mcrouter instances have 2 server pools: one that includes all mc* hosts on the local primary DC and another pool that consists of 4 mw* servers which act as a "proxy" to the other primary DC, for example in equid we have:
```
"codfw": {
"servers": [
"10.192.0.61:11214:ascii:ssl",
"10.192.16.56:11214:ascii:ssl",
"10.192.32.113:11214:ascii:ssl",
"10.192.48.94:11214:ascii:ssl"
]
},
"eqiad": {
"servers": [
"10.64.0.80:11211:ascii:plain",
"10.64.0.81:11211:ascii:plain",
"10.64.0.82:11211:ascii:plain",
"10.64.0.83:11211:ascii:plain",
"10.64.0.84:11211:ascii:plain",
"10.64.16.107:11211:ascii:plain",
"10.64.16.108:11211:ascii:plain",
"10.64.16.109:11211:ascii:plain",
"10.64.16.110:11211:ascii:plain",
"10.64.32.208:11211:ascii:plain",
"10.64.32.209:11211:ascii:plain",
"10.64.32.210:11211:ascii:plain",
"10.64.32.211:11211:ascii:plain",
"10.64.32.212:11211:ascii:plain",
"10.64.48.155:11211:ascii:plain",
"10.64.48.156:11211:ascii:plain",
"10.64.48.157:11211:ascii:plain",
"10.64.48.158:11211:ascii:plain"
]
}
```
If we were to enable TLS, as a first step we could eliminate the need to use those "mcrouter proxies", and thus remove 4 more "special" mediawiki servers.
If that goes well, we can then consider switching all memcached traffic to use TLS.
**Versions:**
* v1.5.22: we can package the latest v1.5 for buster and introduce TLS - safe option
* v1.6.6: we have this version packaged and ready, but it will need to be deployed with caution since there are some changes which can affect a busy cluster like ours