MySQL 5.7配置SSL连接
如果想服务能够部署自动支持安全连接,使用mysql_ssl_rsa_setup工具来创建缺省SSL与RSA文件
[root@cs2 bin]# ./mysql_ssl_rsa_setup --datadir=/mysqldata/mysql
Generating a 2048 bit RSA private key
......................................................................+++
..............................................................+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.............+++
..............+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.....................................+++
................................................+++
writing new private key to 'client-key.pem'
-----
启动mysql
[root@cs2 ~]# service mysqld start
Starting MySQL.. SUCCESS!
测试远程登录
-bash-4.2$ mysql -h 10.11.13.19 -P 3306 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.22 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SELECT DISTINCT CONCAT('User: [', user, '''@''', host, '];') AS USER_HOST FROM user;
+------------------------------------+
| USER_HOST |
+------------------------------------+
| User: [root'@'%]; |
| User: [mysql.session'@'localhost]; |
| User: [mysql.sys'@'localhost]; |
+------------------------------------+
3 rows in set (0.05 sec)
通过ssl登录mysql服务器
[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u root -pabcd123 --ssl-cert=client-cert.pem --ssl-key=client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.26-log Source distribution
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using EditLine wrapper
Connection id: 7
Current database:
Current user: root@10.11.13.19
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.26-log Source distribution
Protocol version: 10
Connection: 10.11.13.19 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: gb2312
Conn. characterset: gb2312
TCP port: 3306
Uptime: 14 min 11 sec
Threads: 2 Questions: 13 Slow queries: 0 Opens: 108 Flush tables: 1 Open tables: 101 Queries per second avg: 0.015
--------------
mysql> show variables like 'have_ssl';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_ssl | DISABLED |
+---------------+----------+
1 row in set (0.01 sec)
mysql> show variables like 'require_secure_transport';
+--------------------------+-------+
| Variable_name | Value |
+--------------------------+-------+
| require_secure_transport | OFF |
+--------------------------+-------+
1 row in set (0.00 sec)
mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
从上面的查询结果可以看到SSL: Not in use,have_ssl和have_openssl为DISABLED,这说明实际上是没有启用ssl。
这是因为通过执行mysql_ssl_rsa_setup命令产生的pem文件的权限为root用户而不是mysql用户造成的,将这些pem文件的权限修改为mysql用户与组 权限不要太大,只用户权限为rw,组与其它用户需要r权限
[root@localhost mysql]# ls -lrt
30172
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile1
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile2
drwxr-x---. 2 mysql mysql 48 321 16:25 undo
-rw-r-----. 1 mysql mysql 56 321 16:25 auto.cnf
drwxr-x---. 2 mysql mysql 8192 321 16:25 performance_schema
drwxr-x---. 2 mysql mysql 4096 321 16:25 mysql
drwxr-x---. 2 mysql mysql 8192 321 16:25 sys
-rw-r-----. 1 mysql mysql 177 321 16:25 binlog.000001
-rw-r--r--. 1 mysql mysql 1679 321 16:26 ca-key.pem
-rw-r--r--. 1 mysql mysql 1107 321 16:26 ca.pem
-rw-r--r--. 1 root root 1679 321 16:26 server-key.pem
-rw-r--r--. 1 root root 1107 321 16:26 server-cert.pem
-rw-r--r--. 1 root root 1675 321 16:26 client-key.pem
-rw-r--r--. 1 root root 1107 321 16:26 client-cert.pem
-rw-r--r--. 1 root root 1675 321 16:26 private_key.pem
-rw-r--r--. 1 root root 451 321 16:26 public_key.pem
-rw-r-----. 1 mysql mysql 114688 524 17:00 ts2.ibd
-rw-r-----. 1 mysql mysql 98304 524 17:01 ts1.ibd
drwxr-x---. 2 mysql mysql 32 524 17:11 test
-rw-r-----. 1 mysql mysql 9352 621 10:46 binlog.000002
-rw-r-----. 1 mysql mysql 177 621 10:46 binlog.000003
-rw-r-----. 1 mysql mysql 154 9 9 19:55 binlog.000004
-rw-r-----. 1 mysql mysql 177 9 9 20:23 binlog.000005
-rw-r-----. 1 mysql mysql 177 9 9 20:38 binlog.000006
-rw-r-----. 1 mysql mysql 177 9 9 20:44 binlog.000007
-rw-r-----. 1 mysql mysql 122 9 9 20:44 ib_buffer_pool
-rw-r-----. 1 mysql mysql 248 9 9 20:44 binlog.index
-rw-r-----. 1 mysql mysql 154 9 9 20:44 binlog.000008
-rw-r-----. 1 mysql mysql 6 9 9 20:44 mysqld.pid
-rw-r-----. 1 mysql mysql 12582912 9 9 20:44 ibtmp1
-rw-r-----. 1 mysql mysql 10485760 9 9 20:44 ibdata1
-rw-r-----. 1 mysql mysql 104857600 9 9 20:44 ib_logfile0
-rw-r-----. 1 mysql mysql 107011 9 9 20:54 mysql.err
[root@localhost mysql]# chown -R mysql:mysql *.pem
[root@localhost mysql]# ls -lrt
30172
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile1
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile2
drwxr-x---. 2 mysql mysql 48 321 16:25 undo
-rw-r-----. 1 mysql mysql 56 321 16:25 auto.cnf
drwxr-x---. 2 mysql mysql 8192 321 16:25 performance_schema
drwxr-x---. 2 mysql mysql 4096 321 16:25 mysql
drwxr-x---. 2 mysql mysql 8192 321 16:25 sys
-rw-r-----. 1 mysql mysql 177 321 16:25 binlog.000001
-rw-r--r--. 1 mysql mysql 1679 321 16:26 ca-key.pem
-rw-r--r--. 1 mysql mysql 1107 321 16:26 ca.pem
-rw-r--r--. 1 mysql mysql 1679 321 16:26 server-key.pem
-rw-r--r--. 1 mysql mysql 1107 321 16:26 server-cert.pem
-rw-r--r--. 1 mysql mysql 1675 321 16:26 client-key.pem
-rw-r--r--. 1 mysql mysql 1107 321 16:26 client-cert.pem
-rw-r--r--. 1 mysql mysql 1675 321 16:26 private_key.pem
-rw-r--r--. 1 mysql mysql 451 321 16:26 public_key.pem
-rw-r-----. 1 mysql mysql 114688 524 17:00 ts2.ibd
-rw-r-----. 1 mysql mysql 98304 524 17:01 ts1.ibd
drwxr-x---. 2 mysql mysql 32 524 17:11 test
-rw-r-----. 1 mysql mysql 9352 621 10:46 binlog.000002
-rw-r-----. 1 mysql mysql 177 621 10:46 binlog.000003
-rw-r-----. 1 mysql mysql 154 9 9 19:55 binlog.000004
-rw-r-----. 1 mysql mysql 177 9 9 20:23 binlog.000005
-rw-r-----. 1 mysql mysql 177 9 9 20:38 binlog.000006
-rw-r-----. 1 mysql mysql 177 9 9 20:44 binlog.000007
-rw-r-----. 1 mysql mysql 122 9 9 20:44 ib_buffer_pool
-rw-r-----. 1 mysql mysql 248 9 9 20:44 binlog.index
-rw-r-----. 1 mysql mysql 154 9 9 20:44 binlog.000008
-rw-r-----. 1 mysql mysql 6 9 9 20:44 mysqld.pid
-rw-r-----. 1 mysql mysql 12582912 9 9 20:44 ibtmp1
-rw-r-----. 1 mysql mysql 10485760 9 9 20:44 ibdata1
-rw-r-----. 1 mysql mysql 104857600 9 9 20:44 ib_logfile0
-rw-r-----. 1 mysql mysql 107011 9 9 20:54 mysql.err
pem文件权限太多可能会出现如下错误
[mysql@localhost mysql]$ mysql -h 10.11.13.19 -P 3306 -u root -pabcd123 --ssl-cert=/mysqldata/mysql/client-cert.pem --ssl-key=/mysqldata/mysql/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
[root@localhost mysql]# service mysqld restart
Shutting down MySQL.. SUCCESS!
Starting MySQL.. SUCCESS!
[mysql@localhost mysql]$ mysql -h 10.11.13.19 -P 3306 -u root -pabcd123 --ssl-cert=/mysqldata/mysql/client-cert.pem --ssl-key=/mysqldata/mysql/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.26-log Source distribution
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using EditLine wrapper
Connection id: 4
Current database:
Current user: root@10.11.13.19
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.26-log Source distribution
Protocol version: 10
Connection: 10.11.13.19 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: gb2312
Conn. characterset: gb2312
TCP port: 3306
Uptime: 59 sec
Threads: 2 Questions: 11 Slow queries: 0 Opens: 108 Flush tables: 1 Open tables: 101 Queries per second avg: 0.186
--------------
创建用户限制用户必须用ssl登录
mysql> create user 'jy'@'%' identified by "123";
Query OK, 0 rows affected (0.02 sec)
mysql> grant all on *.* to 'jy'@'%' require ssl;
Query OK, 0 rows affected, 1 warning (0.02 sec)
虽然要求用ssl但是还是可以使用密码登录,是因为mysql.user表中的ssl_type=ANY
[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u jy -p123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.26-log Source distribution
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using EditLine wrapper
Connection id: 7
Current database:
Current user: jy@10.11.13.19
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.26-log Source distribution
Protocol version: 10
Connection: 10.11.13.19 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: gb2312
Conn. characterset: gb2312
TCP port: 3306
Uptime: 50 min 18 sec
Threads: 2 Questions: 69 Slow queries: 0 Opens: 139 Flush tables: 1 Open tables: 132 Queries per second avg: 0.022
--------------
mysql> select * from user where user='jy'\G
ERROR 1046 (3D000): No database selected
mysql> select * from mysql.user where user='root'\G
*************************** 1. row ***************************
Host: %
User: jy
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type: ANY
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *1AA476D99C1600C9D984E248FBF2FDE3A0BB256E
password_expired: N
password_last_changed: 2022-03-21 16:27:48
password_lifetime: NULL
account_locked: N
1 row in set (0.00 sec)
修改用户jy的ssl类型为x509
mysql> alter user 'jy'@'%' require x509
-> ;
Query OK, 0 rows affected (0.01 sec)
在不指定ssl密钥时就不能登录了
[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u jy -p123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'jy'@'10.11.13.19' (using password: YES)
或
[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u jy -p123 --ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
ERROR 1045 (28000): Access denied for user 'jy'@'10.11.13.19' (using password: YES)
指定ssl密钥进行登录
[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u jy -p123 --ssl-cert=/mysqldata/mysql/client-cert.pem --ssl-key=/mysqldata/mysql/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.7.26-log Source distribution
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit
如果指定ssl密钥进行登录时不指定密钥完整路径时会出现如下错误
[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u jy -p123 --ssl-cert=client-cert.pem --ssl-key=client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [ERROR] SSL error: Unable to get certificate from 'client-cert.pem'
ERROR 2026 (HY000): SSL connection error: Unable to get certificate
- 点赞
- 收藏
- 关注作者
评论(0)