007:MySQL SSL
一. SSL安装
SSL(Secure Socket Layer)是维护Client - Server之间加密通讯的一套安全协议;
--默认ssl未开启
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+----------+
9 rows in set (0.00 sec)
1. 开启SSL (5.7.18)
- 环境说明
- 服务端A:MySQLserver; IP:192.168.48.168;
- 客户端B:MySQLserver; IP:192.168.24.38;
-- 服务端A:MySQLserver; IP:192.168.48.168;
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# bin/mysql_ssl_rsa_setup --datadir=/r2/soft/dbtest/mysql-5.7.18/mysqldata --user=mysql --uid=mysql --使用--uid后,就不需要chown mysql.mysql *.pem
Generating a 2048 bit RSA private key
..+++
......+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
..............................................................+++
...........................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.............+++
................+++
writing new private key to 'client-key.pem'
-----
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# ll mysqldata/|grep pem
-rw------- 1 mysql mysql 1675 11月 28 10:21 ca-key.pem
-rw-r--r-- 1 mysql mysql 1074 11月 28 10:21 ca.pem
-rw-r--r-- 1 mysql mysql 1078 11月 28 10:21 client-cert.pem #客户端证书文件
-rw------- 1 mysql mysql 1679 11月 28 10:21 client-key.pem #客户端私钥文件
-rw------- 1 mysql mysql 1675 11月 28 10:21 private_key.pem #用于密钥交换的公钥
-rw-r--r-- 1 mysql mysql 451 11月 28 10:21 public_key.pem #用户密钥交换的私钥
-rw-r--r-- 1 mysql mysql 1078 11月 28 10:21 server-cert.pem #服务器端证书文件
-rw------- 1 mysql mysql 1675 11月 28 10:21 server-key.pem #服务器端私钥文件
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# mysqladmin -uroot -piforgot --socket=/r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock shutdown
2017-11-28T02:21:55.829485Z mysqld_safe mysqld from pid file /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysqldb.pid ended
[1]+ 完成 /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf &
[1] 159680
关于几个pem文件的用途说面,见官方文档,并搜索关键字
private/public key-pair
- 开始测试
- 服务端A:MySQLserver; IP:192.168.48.168;
-- 服务端A:MySQLserver; IP:192.168.48.168;
mysql> show variables like "%ssl%";
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES | -- 已经支持SSL
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem | -- 公钥文件
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem | -- 私钥文件
+---------------+-----------------+
9 rows in set (0.00 sec)
mysql> \s -- status
--------------
/r2/soft/dbtest/mysql-5.7.18/bin/mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 802
Current database:
Current user: root@localhost
SSL: Not in use --此时本地socket登录,不用SSL
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock
Uptime: 15 min 41 sec
Threads: 1 Questions: 5694 Slow queries: 0 Opens: 3439 Flush tables: 1 Open tables: 729 Queries per second avg: 6.051
--------------
--创建测试账号
mysql> create user 'ssl'@'%' identified by 'ssltest';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'ssl'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for 'ssl'@'%';
+------------------------------------------+
| Grants for ssl@% |
+------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'ssl'@'%' |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> select ssl_type from mysql.user where user='ssl';
+----------+
| ssl_type |
+----------+
| | --看到ssl_还没有配置
+----------+
1 row in set (0.00 sec)
- 客户端B:MySQLserver; IP:192.168.24.38;默认使用ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2264
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(ssl@192.168.48.168) 11:06:57 [(none)]> \s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 2264
Current database:
Current user: ssl@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA --已经使用了ssl登录了
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 44 min 55 sec
Threads: 2 Questions: 16275 Slow queries: 0 Opens: 8527 Flush tables: 1 Open tables: 1024 Queries per second avg: 6.038
--------------
- 客户端B:MySQLserver; IP:192.168.24.38;使用skip ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2601
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(ssl@192.168.48.168) 11:11:55 [(none)]> \s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 2601
Current database:
Current user: ssl@192.168.24.38
SSL: Not in use --表示为只用ssl
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 49 min 56 sec
Threads: 2 Questions: 18098 Slow queries: 0 Opens: 9366 Flush tables: 1 Open tables: 1024 Queries per second avg: 6.040
- 强制用户使用ssl登录
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
mysql> alter user 'ssl'@'%' require ssl;
Query OK, 0 rows affected (0.00 sec)
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
ERROR 1045 (28000): Access denied for user 'ssl'@'192.168.24.38' (using password: YES) --禁用了SSL就无法登录了
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3023
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(ssl@192.168.48.168) 11:20:00 [(none)]> \s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 3023
Current database:
Current user: ssl@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 58 min 10 sec
Threads: 2 Questions: 21080 Slow queries: 0 Opens: 10700 Flush tables: 1 Open tables: 1024Queries per second avg: 6.040
--------------
2. 开启证书认证(5.7.18)
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
mysql> create user 'sslcatti'@'%' identified by 'sslcatti';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'sslcatti'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> alter user 'sslcatti'@'%' require x509; -- 启用证书认证
Query OK, 0 rows affected (0.00 sec)
mysql> select ssl_type from mysql.user where user='sslcatti';
+----------+
| ssl_type |
+----------+
| X509 |
+----------+
1 row in set (0.00 sec)
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'sslcatti'@'192.168.24.38' (using password: YES)
-- 即使默认开启了ssl,也是无法登录的
- 把pem文件拷贝到客服端B
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# pwd
/r2/soft/dbtest/mysql-5.7.18/mysqldata
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# scp client-cert.pem client-key.pem root@192.168.24.38:~/
The authenticity of host '192.168.24.38 (192.168.24.38)' can't be established.
ECDSA key fingerprint is 06:c0:78:4d:99:10:db:76:9f:78:92:ac:ab:cb:a7:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.24.38' (ECDSA) to the list of known hosts.
root@192.168.24.38's password:
client-cert.pem 100% 1078 1.1KB/s 00:00
client-key.pem 100% 1679 1.6KB/s 00:00
- 客户端用证书登录
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# ll |grep pem
-rw-r--r-- 1 root root 1078 Nov 28 11:34 client-cert.pem
-rw------- 1 root root 1679 Nov 28 11:34 client-key.pem
[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti --ssl-cert=./client-cert.pem --ssl-key=./client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3868
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(sslcatti@192.168.48.168) 11:36:28 [(none)]> \s;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 3868
Current database:
Current user: sslcatti@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA --使用加密方式登录,且通过证书,因为这个用户
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 1 hour 14 min 31 sec
Threads: 1 Questions: 27036 Slow queries: 0 Opens: 13349 Flush tables: 1 Open tables: 1024Queries per second avg: 6.046
--------------
007:MySQL SSL的更多相关文章
- Mysql 告警 :Establishing SSL connection without server's identity verification is not recommended.
在集成spring与mybatis是,在spring.xml中配置了DataSource配置,数据库连接采用的是mysql的链接字符串: jdbc:mysql://localhost:3306/wor ...
- java运行jdk连接mysql出现了:Establishing SSL connection without server's identity verification is not recommended
注意:出现这类提示也不会影响对数据库的增删改查操作,所以不用紧张.. 在运行练习时出现下面的错误信息提示: Establishing SSL connection without server's i ...
- java链接Mysql出现警告:Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by
Java使用mysql-jdbc连接MySQL出现如下警告: Establishing SSL connection without server's identity verification is ...
- MySQL:MySQL的基本操作
1.数据库登录 格式:mysql -h主机地址 -u用户名 -p用户密码 -P端口 -D数据库 -e “SQL内容” [root@wulaoer ~]# mysql -uroot -p 2.修改密码 ...
- mysql+ssl主从复制
一.作为主服务器Master, 会把自己的每一次改动都记录到 二进制日志 Binarylog 中. (从服务器I/O thread会负责来读取master binary log, 然后写入自身rela ...
- Mysql漂流系列(一):MySQL的执行流程
MySQL的执行流程 MySQL的执行流程: MySQL的执行流程分析: 1.当我们请求mysql服务器的时候,MySQL前端会有一个监听,请求到了之后,服务器得到相关的SQL语句,执行之前(虚线部分 ...
- linux学习之centos(三):mysql数据库的安装和配置
前言:mysql简介 说到数据库,我们大多想到的是关系型数据库,比如mysql.oracle.sqlserver等等,这些数据库软件在windows上安装都非常的方便,在Linux上如果要安装数据库, ...
- zabbix准备:mysql安装
php在编译时需要mysql的配置,这样PHP远程连接mysql才有用.1.创建mysql用户和相关目录(配置文件里设置的目录) groupadd mysql useradd -g mysql -M ...
- MySql(五):MySQL数据库安全管理
一.前言 对于任何一个企业来说,其数据库系统中所保存数据的安全性无疑是非常重要的,尤其是公司的有些商业数据,可能数据就是公司的根本. 失去了数据,可能就失去了一切 本章将针对mysql的安全相关内容进 ...
随机推荐
- 生产者与消费者的Java实现
首先创建maven工程,需要引入的包: <dependencies> <dependency> <groupId>org.apache.kafka</grou ...
- js中top、self、parent
1.在应用iframe或者frameset的时候 parent指的是父窗口.top指的是顶级的窗口.self指的是当前的窗口-window window.self 功能:是对当前窗口自身的引用.它和w ...
- 解决 src/MD2.c:31:20: fatal error: Python.h: No such file or directory安装包错误
在linux命令行安装包时报错 src/MD2.c:31:20: fatal error: Python.h: No such file or directory 原因:缺少了python的dev 解 ...
- Android Studio真机测试失败-----''No target device found" (转)
参考文章: https://blog.csdn.net/chang_sir/article/details/51755572 今天想用真机测试一个程序,却报出这样一个Error"No tar ...
- 关于鼠标不敏感导致自以为ubuntu很怪的问题
你要相信自己拥有的确实是一个垃圾鼠标,而不要以为复制和粘贴有感觉控制不住.
- Django model.py表单设置默认值允许为空
blank=True 默认值为blank=Flase,表示默认不允许为空, blank=True admin级别可以为空 null=True 默认值为null=Flase,表示默认不允许为空 nu ...
- 小程序开发之改变data中数组或对象的某一属性值
前言:在小程序的开发中,我们在view中便利data中数组或对象时,很多情况下需要在js中动态改变数组或者对象中某一香的属性值. 效果图: 我给大家总结了案例如下: wxml如下: <scr ...
- 今天在win7下安装Fedora22
<h4>技嘉主板970如何设置BIOS从U盘启动安装系统</h4>1.电脑开机按“Del”键进入主板设置项,选择“BIOS”设置 <a href="http:/ ...
- Android上玩玩Hook:Cydia Substrate实战
作者简介:周圣韬,百度高级Android开发工程师,博客地址:http://blog.csdn.net/yzzst 了解Hook 还没有接触过Hook技术读者一定会对Hook一词感觉到特别的陌生,Ho ...
- Java并发--线程间协作的两种方式:wait、notify、notifyAll和Condition
在前面我们将了很多关于同步的问题,然而在现实中,需要线程之间的协作.比如说最经典的生产者-消费者模型:当队列满时,生产者需要等待队列有空间才能继续往里面放入商品,而在等待的期间内,生产者必须释放对临界 ...