45 rows in set (0.00 sec) 2.2 配置MySQL SSL 2.2.1 确保本机安装SSL In hd0[1-2]
查询MySQL是基于那种SSL
mysql -uroot -p
show status like 'rsa_public_key';
返回如下提示:
Empty set (0.00 sec) 以上表明官方的编译基于yaSSL,如果是基于openSSL,以下命令查看openSSL的版本
openssl version 2.2.2 生成所需的证书 In hd01
mysql_ssl_rsa_setup
ls -l /var/lib/mysql/*.pem
会看到如下证书
-rw------- 1 mysql mysql 1679 Apr 22 10:38 /var/lib/mysql/ca-key.pem
-rw-r--r-- 1 mysql mysql 1074 Apr 22 10:38 /var/lib/mysql/ca.pem
-rw-r--r-- 1 mysql mysql 1078 Apr 22 10:38 /var/lib/mysql/client-cert.pem
-rw------- 1 mysql mysql 1679 Apr 22 10:38 /var/lib/mysql/client-key.pem
-rw------- 1 mysql mysql 1675 Apr 22 10:38 /var/lib/mysql/private_key.pem
-rw-r--r-- 1 mysql mysql 451 Apr 22 10:38 /var/lib/mysql/public_key.pem
-rw-r--r-- 1 mysql mysql 1078 Apr 22 10:38 /var/lib/mysql/server-cert.pem
-rw------- 1 mysql mysql 1679 Apr 22 10:38 /var/lib/mysql/server-key.pem 2.2.3 MySQL配置文件中开启SSL In hd01
vim /etc/my.cnf 加入如下配置
[mysqld]
ssl-ca = /var/lib/mysql/ca.pem
ssl-cert = /var/lib/mysql/server-cert.pem
ssl-key = /var/lib/mysql/server-key.pem
重启服务
systemctl restart mysqld 2.2.4 确认是否开启SSL In hd01
mysql -uroot -p
show global variables like 'have_%ssl';
显示如下:
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
2 rows in set (0.00 sec) 2.2.5 查看SSL的加密方式 In hd01
mysql -uroot -p
show global variables like 'tls_version';
显示如下:
+---------------+---------------+
| Variable_name | Value |
+---------------+---------------+
| tls_version | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0.00 sec) 2.2.6 配置SSL用户 In hd01
mysql -uroot -p
grant all privileges on *.* to scm@'hd01.cmdschool.org' identified by 'scm' require none;
grant all privileges on *.* to scm@'hd02.cmdschool.org' identified by 'scm' require ssl;
flush privileges;
查看是否开启强制用户使用SSL
select user,host,ssl_type from mysql.user where user='scm'; 显示如下:
+------+--------------------+----------+
| user | host | ssl_type |
+------+--------------------+----------+
| scm | hd01.cmdschool.org | |
| scm | hd02.cmdschool.org | ANY |
+------+--------------------+----------+
2 rows in set (0.00 sec)
注:帐号“scm@hd01.cmdschool.org”不强制使用SSL链接而“scm@hd02.cmdschool.org”被强制使用SSL链接,不使用SSL无法登陆。 2.2.7 登录测试
1) 使用SSL链接 In hd02
mysql -uscm -hhd01.cmdschool.org -p 2) 禁用SSL链接 In hd01
mysql -uscm -hhd01.cmdschool.org -p --ssl-mode=disable 3) 使用证书登录(可选,不用也能SSL登陆) In hd01
mysql --ssl-ca=/var/lib/mysql/ca.pem \
--ssl-cert=/var/lib/mysql/client-cert.pem \
--ssl-key=/var/lib/mysql/client-key.pem \
-uscm -p -hhd01.cmdschool.org
4) 配置文件指定证书登录(可选,不用也能SSL登陆) In hd01
vim ~/.my.cnf 输入如下配置:
[client]
ssl-ca = /var/lib/mysql/ca.pem
ssl-cert = /var/lib/mysql/client-cert.pem
ssl-key = /var/lib/mysql/client-key.pem 2.2.8 客户端查看SSL状态
1) 从状态中查看 In hd02
status 显示如下:
--------------
mysql Ver 14.14 Distrib 5.7.18, for Linux (x86_64) using EditLine wrapper
Connection id: 8
Current database:
Current user: scm@HD02.cmdschool.org
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: hd01.cmdschool.org via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 12 min 51 sec
Threads: 6 Questions: 1446 Slow queries: 0 Opens: 156 Flush tables: 1 Open tables: 149 Queries per second avg: 1.875
--------------
注:正常会看到“SSL: Cipher in use is DHE-RSA-AES256-SHA”字样
2) 查看SSL版本 In hd02
show session status like 'ssl_version'; 显示如下:
+---------------+---------+
| Variable_name | Value |
+---------------+---------+
| Ssl_version | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)
3) 查看加密方式 In hd02
show session status like 'ssl_cipher'; 显示如下:
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.01 sec)
4) 支持的加密方式 In hd02
show session status like 'ssl_cipher_list'; 显示如下:
+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Variable_name | Value |
1 row in set (0.00 sec) 3 附录 3.1 JDBC的链接处理方式 3.1.1 错误提示(Error)
JAVA_HOME=/usr/java/jdk1.8.0_121
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
Sat Apr 22 19:09:20 CST 2017 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. 3.1.2 JDBC客户端的解决方法
连接字符串url中加入ssl=true或false:
url=jdbc:mysql://127.0.0.1:3306/framework?characterEncoding=utf8&useSSL=true 注:本文只是笔着希望可以在MySQL的服务端解决以上错误提示而整理,如果网友有方案提供,笔者感激不尽。
参阅文档
===================================
MySQL Database
----------------------
https://www.cloudera.com/documentation/enterprise/latest/topics/cm_ig_mysql.html
https://dev.mysql.com/doc/refman/5.7/en/validate-password-plugin.html
https://dev.mysql.com/doc/refman/5.7/en/secure-connection-options.html
MySQL开启SSL
-----------------------
https://dev.mysql.com/doc/refman/5.7/en/using-secure-connections.html
SSL
http://cmdschool.blog.51cto.com/2420395/1785732
QQ群⑧:
窥视卡
雷达卡
发表于 2018-9-30 12:57:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡