MySQL5.6 & 5.7 配置 SSL
mysql5.7上开启并配置ssl
[root@mysqlmaster01 bin]# ./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --user=mysqlnode
Generating a 2048 bit RSA private key
............................................................................+++
............+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.......................+++
..........................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
...........+++
..........+++
writing new private key to 'client-key.pem'
-----mysql
查看linux
mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.01 sec)sql
(SSL仍是没有启用)数据库
解决办法:把数据目录下.pem的文件,属主和属组改为mysql服务器
[root@mysqlmaster01 mysql_data1]# chown -R mysql.mysql *.pemapp
而后重启服务ide
[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi stop 1工具
[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi start 1
[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi report
Reporting MySQL servers
MySQL server from group: mysqld1 is running
[root@mysqlmaster01 mysql_data1]# mysql --login-path=mysql1 -e "show variables like 'have%ssl%';"
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
(说明ssl已经启用咯)
[root@mysqlmaster01 mysql_data1]# ll *.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 ca-key.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 ca.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 client-cert.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 client-key.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 private_key.pem
-rw-r--r--. 1 mysql mysql 451 Nov 24 11:14 public_key.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 server-cert.pem
-rw-------. 1 mysql mysql 1675 Nov 24 11:14 server-key.pem
如何经过ssl进行链接
[root@mysqlmaster01 mysql_data2]# mysql -u ssl -p -h 10.2.11.226 --ssl-cert=/data/mysql_data2/client-cert.pem --ssl-key=/data/mysql_data2/client-key.pem -P 3307
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.7.20-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \q
(默认若是受权没有作任何限制,用户既能够经过秘钥登陆,也能够经过用户名和密码登陆)
用户受权规定只能经过ssl方式登陆
mysql> create user 'tom'@'10.2.11.%' identified by 'Aa123456';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'tom'@'10.2.11.%' require ssl;
Query OK, 0 rows affected, 1 warning (0.00 sec)
测试
[root@mysqlmaster01 ~]# mysql -u tom -p -h 10.2.11.226 --ssl-mode 'REQUIRED' -P 3306
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
mysql>
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using EditLine wrapper
Connection id: 25
Current database:
Current user: tom@10.2.11.226
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.20-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 10.2.11.226 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 1 hour 34 min 11 sec
Threads: 2 Questions: 56 Slow queries: 0 Opens: 124 Flush tables: 1 Open tables: 117 Queries per second avg: 0.009
--------------
若是不只须要ssl还须要秘钥,那么怎么操做呢?
mysql> alter user 'tom'@'10.2.11.%' require x509;
Query OK, 0 rows affected (0.01 sec)
或者新建一个用户,要求ssl+秘钥登陆
mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> grant all on *.* to 'test'@'10.2.18.%' identified by 'Aa123456' require x509;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
测试登陆:
[root@mysqlmaster01 mysql_data1]# mysql -u test -p -h 10.2.11.226 -P 3306 --ssl
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)
(发现经过ssl登陆不了)
mysql5.6上开启并配置ssl
一、加密链接服务端配置
[mysqld]
ssl-ca=ca.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem
说明:
ss-ca:证书颁发机构(CA)证书文件的路径名
ssl-cert:服务器公钥证书文件的路径名。这能够发送到客户端,并经过CA证书进行身份验证。
ssl-key:服务器的私钥证书文件的路径名
二、客户端使用ssl
案例:
mysql --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
经过openssl 制做生成 SSL 证书
[root@mysqlmaster01 CA]# touch index.txt
[root@mysqlmaster01 CA]# echo 01>serial
建立CA证书
[root@server mysql56]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................................+++
......................................................................................................................+++
e is 65537 (0x10001)
[root@server mysql56]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:
[root@server mysql56]# ll *.pem
-rw-r--r--. 1 root root 1679 Nov 24 15:15 ca-key.pem
-rw-r--r--. 1 root root 1314 Nov 24 15:16 ca.pem
建立服务器证书
[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
......................................................+++
.........................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:server.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server mysql56]# openssl rsa -in server-key.pem -out server-key.pem
writing RSA key
[root@server mysql56]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=server.test.com
Getting CA Private Key
建立客户端证书
[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
.+++
...............................................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:client.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server mysql56]# openssl rsa -in client-key.pem -out client-key.pem
writing RSA key
[root@server mysql56]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=client.test.com
Getting CA Private Key
检测:
[root@mysqlmaster01 mysql56]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
说明:
ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)
server-cert.pem, server-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.
client-cert.pem, client-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.
[root@mysqlmaster01 mysql56]# chown -R mysql.mysql *.pem (更改属主和属组)
编写my.cnf文件,在【mysqld】下填写
ssl-ca=/data/mysql56/ca.pem
ssl-cert=/data/mysql56/server-cert.pem
ssl-key=/data/mysql56/server-key.pem
mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509; (受权test用户经过ssl+秘钥登陆)
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)
(直接用密码登陆错误)
[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 -ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem
mysql: [ERROR] mysql: unknown option '-l'
[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=/data/mysql56/client-cert.pem --ssl-key=/data/mysql56/client-key.pem
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.6.38-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
(若是要在其余电脑上经过ssl登陆该机器的数据库,必需要ca.pem,client-cert.pem,client-key.pem拷贝到其余电脑上,而后配置链接数据库的工具使用ssl)
mysql 5.6 另一篇文章设置SSL
与5.7使用 mysql_ssl_rsa_setup 自动生成秘匙不同,5.6需要通过openssl命令来生成秘匙
创建一个 certs 文件用于放秘匙
我放在了datadir目录下 mkdir certs && cd certs
首先生成所需 key
CA
「主要命令」openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem小提示:CA的Country Name要与server/client的Country Name不同,否则 Verify这步会出现错误,出现类似 error 18 at 0 depth lookup:self signed certificate的错误
[[email protected] certs]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
......................................................+++
........+++
e is 65537 (0x10001)
[[email protected] certs]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:WDT
Organizational Unit Name (eg, section) []:wdt
Common Name (eg, your name or your server's hostname) []:fxr
Email Address []:test
[[email protected] certs]# ll
total 8
-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem
-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem
server
「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
# 创建成功后目录下变成4个文件
[[email protected] certs]# ll
total 16
-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem
-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem
-rw-r--r-- 1 root root 1704 Feb 27 10:49 server-key.pem
-rw-r--r-- 1 root root 1050 Feb 27 10:49 server-req.pem
[[email protected] certs]# openssl rsa -in server-key.pem -out server-key.pem
[[email protected] certs]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# 这是会提示验证成功,目录下多了一个 `server-cert.pem` 文件
Client
「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
#成功后多出`client-key.pem` 和 `client-req.pem` 两个文件
[[email protected] certs]# openssl rsa -in client-key.pem -out client-key.pem
[[email protected] certs]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# 成功后多出`client-cert.pem` 一个文件
Verify
「主要命令」openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
[[email protected] certs]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
`server-cert.pem` 和 `client-cert.pem` 提示Ok
「配置my.cnf文件」xxx 请改成该文件的全路径
[mysqld]
ssl-ca=xxx/ca.pem
ssl-cert=xxx/server-cert.pem
ssl-key=xxx/server-key.pem
[client]
ssl-ca=xxx/ca.pem
ssl-cert=xxx/client-cert.pem
ssl-key=xxx/client-key.pem
然后创建一个用户,并设置其使用SSL连接
mysql> CREATE USER 'ssluser'@'%' identified by '123';
mysql> GRANT USAGE ON *.* TO 'ssluser'@'%' identified by '123' require ssl;
mysql> FLUSH PRIVILEGES;
重启下mysql服务,然后通过以下命令连接
[[email protected] certs]# mysql -ussluser -p --ssl-ca=/data/mysql/data/certs/ca.pem --ssl-cert=/data/mysql/data/certs/client-cert.pem --ssl-key=/data/mysql/data/certs/client-key.pem
进入mysql后输入 SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+中途因为 –ssl-ca后面的路径输入错误,导致 SSL connection error: SSL_CTX_set_default_verify_paths failed 的错误
MySQL5.6 & 5.7 配置 SSL的更多相关文章
- Windows下Nginx配置SSL实现Https访问(包含证书生成)
Vincent.李 Windows下Nginx配置SSL实现Https访问(包含证书生成) Windows下Nginx配置SSL实现Https访问(包含证书生成) 首先要说明为什么要实现https ...
- Tomcat:配置SSL
SSL简述 SSL就是安全套接字层,是一种允许web浏览器和 web服务器通过安全连接通信的技术.这是一个双向的过程,这意味着 服务器和浏览器在发送数据之前加密所有交流的数据. SSL有一个重要的特点 ...
- Apache安装及配置ssl
目录 1.windows安装 软件准备 安装apache 开启ssl(Https访问) 打开httpd.conf,解除下面配置的注释 查看ssl模块使用哪一个配置文件 配置https虚拟主机 简单配置 ...
- CentOS7下安装MySQL5.7安装与配置(转)
原文地址:http://www.centoscn.com/mysql/2016/0626/7537.html 安装环境:CentOS7 64位 MINI版,安装MySQL5.7 1.配置YUM源 在M ...
- MySQL5.7安装与配置(YUM)
安装环境:CentOS7 64位,MySQL5.7 1.配置YUM源 在MySQL官网中下载YUM源rpm安装包:http://dev.mysql.com/downloads/repo/yum/ # ...
- Nginx 下配置SSL证书的方法
1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...
- Tomcat 7.0配置SSL的问题及解决办法
http://dong-shuai22-126-com.iteye.com/blog/1830209 以前一直在用Tomcat 6.0.29版本,今下载了apache-tomcat-7.0.33- ...
- nginx配置ssl
1.使用pfx证书配置ssl (http://www.heartlifes.com/archives/12/) .上传证书 .生成证书crt及key文件 openssl pkcs12 -in /usr ...
- 单点登录CAS使用记(一):前期准备以及为CAS-Server配置SSL协议
知识点: SSO:单点登录(Single Sign On),是目前比较流行的企业业务整合的解决方案之一.SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统. CAS:耶 ...
随机推荐
- 注意力机制最新综述:A Comprehensive Overview of the Developments in Attention Mechanism
(零)注意力模型(Attention Model) 1)本质:[选择重要的部分],注意力权重的大小体现选择概率值,以非均匀的方式重点关注感兴趣的部分. 2)注意力机制已成为人工智能的一个重要概念,其在 ...
- AlterNats是如何做到高性能的发布订阅的?
前言 在过去的一些文章里面,我们聊了一些.NET平台上高性能编程的技巧,今天带大家了解一下AlterNats这个库是如何做到远超同类SDK性能的. NATS:NATS是一个开源.轻量级.高性能的分布式 ...
- System.Web.Mvc 找到的程序集清单定义与程序集引用不匹配
System.IO.FileLoadException: 未能加载文件或程序集"System.Web.Mvc, Version=5.0.0.0, Culture=neutral, Publi ...
- day09 集合排序_Collection接口与Collections工具类
集合的排序 java.util.Collections类 Collections是集合的工具类,里面定义了很多静态方法用于操作集合. Collections.sort(List list)方法 可以对 ...
- 全民开发!仓库管理者用无代码平台,搭建理想的WMS软件
货在哪儿? 我说过仓库管理不要依赖"老人",因为只有"他"知道货在哪怎么行?也不要完全依赖"系统",因为当前的"系统"并 ...
- 水电表/燃气表/压力表/传感器/仪器仪表等,超低功耗段码LCD液晶显示驱动IC-VKL144A/B 超低工作电流,36*4COM显示,替代PCF8551/MCP144/BU9792/9B92/BL55072B等
煤气罐的使用安全隐患较大,现在大部分城市使用管道输送燃气,燃气表的计费大都是通过远程抄表的方式,或者充值的方式,为了让用户更好地了解自家燃气表的使用情况,需要一款液晶屏来显示燃气表的状态和用气量等信息 ...
- 图论板子总结 / Graph Summary
Template List: 最短路问题:Dijkstra(朴素版.堆优化版),Bellman-Ford,SPFA,Floyd 最小生成树:Prim.Kruskal 二分图问题:染色法.匈牙利算法 朴 ...
- VMware虚拟机安装基于Debian的统信UOS系统
统信操作系统(UOS)是一款美观易用.安全可靠的国产桌面操作系统.UOS预装了Google Chrome.WPS Office.搜狗输入法以及一系列原生应用.它既能让您体验到丰富多彩的娱乐生活,也可以 ...
- python打开文件、文件夹窗口、终端窗口
简介 在一些项目中,我们会需要在生成完文件后打开某些文件或者文件夹窗口,这就需要使用到内置的文件打开方式了. 打开文件或文件夹 Windows import os import subprocess ...
- Docker在手,天下我有,在Win10系统下利用Docker部署Gunicorn+Flask打造独立镜像
原文转载自「刘悦的技术博客」https://v3u.cn/a_id_164 书接上回,之前一篇:Win10环境下使用Flask配合Celery异步推送实时/定时消息(Socket.io)/2020年最 ...