007:MySQL SSL
一. SSL安装
SSL(Secure Socket Layer)是维护Client - Server之间加密通讯的一套安全协议;
--默认ssl未开启
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+----------+
9 rows in set (0.00 sec)
1. 开启SSL (5.7.18)
- 环境说明
- 服务端A:MySQLserver; IP:192.168.48.168;
- 客户端B:MySQLserver; IP:192.168.24.38;
-- 服务端A:MySQLserver; IP:192.168.48.168;
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# bin/mysql_ssl_rsa_setup --datadir=/r2/soft/dbtest/mysql-5.7.18/mysqldata --user=mysql --uid=mysql --使用--uid后,就不需要chown mysql.mysql *.pem
Generating a 2048 bit RSA private key
..+++
......+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
..............................................................+++
...........................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.............+++
................+++
writing new private key to 'client-key.pem'
-----
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# ll mysqldata/|grep pem
-rw------- 1 mysql mysql 1675 11月 28 10:21 ca-key.pem
-rw-r--r-- 1 mysql mysql 1074 11月 28 10:21 ca.pem
-rw-r--r-- 1 mysql mysql 1078 11月 28 10:21 client-cert.pem #客户端证书文件
-rw------- 1 mysql mysql 1679 11月 28 10:21 client-key.pem #客户端私钥文件
-rw------- 1 mysql mysql 1675 11月 28 10:21 private_key.pem #用于密钥交换的公钥
-rw-r--r-- 1 mysql mysql 451 11月 28 10:21 public_key.pem #用户密钥交换的私钥
-rw-r--r-- 1 mysql mysql 1078 11月 28 10:21 server-cert.pem #服务器端证书文件
-rw------- 1 mysql mysql 1675 11月 28 10:21 server-key.pem #服务器端私钥文件
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# mysqladmin -uroot -piforgot --socket=/r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock shutdown
2017-11-28T02:21:55.829485Z mysqld_safe mysqld from pid file /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysqldb.pid ended
[1]+ 完成 /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf &
[1] 159680
关于几个pem文件的用途说面,见官方文档,并搜索关键字
private/public key-pair
- 开始测试
- 服务端A:MySQLserver; IP:192.168.48.168;
-- 服务端A:MySQLserver; IP:192.168.48.168;
mysql> show variables like "%ssl%";
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES | -- 已经支持SSL
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem | -- 公钥文件
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem | -- 私钥文件
+---------------+-----------------+
9 rows in set (0.00 sec)
mysql> \s -- status
--------------
/r2/soft/dbtest/mysql-5.7.18/bin/mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 802
Current database:
Current user: root@localhost
SSL: Not in use --此时本地socket登录,不用SSL
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock
Uptime: 15 min 41 sec
Threads: 1 Questions: 5694 Slow queries: 0 Opens: 3439 Flush tables: 1 Open tables: 729 Queries per second avg: 6.051
--------------
--创建测试账号
mysql> create user 'ssl'@'%' identified by 'ssltest';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'ssl'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for 'ssl'@'%';
+------------------------------------------+
| Grants for ssl@% |
+------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'ssl'@'%' |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> select ssl_type from mysql.user where user='ssl';
+----------+
| ssl_type |
+----------+
| | --看到ssl_还没有配置
+----------+
1 row in set (0.00 sec)
- 客户端B:MySQLserver; IP:192.168.24.38;默认使用ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2264
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(ssl@192.168.48.168) 11:06:57 [(none)]> \s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 2264
Current database:
Current user: ssl@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA --已经使用了ssl登录了
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 44 min 55 sec
Threads: 2 Questions: 16275 Slow queries: 0 Opens: 8527 Flush tables: 1 Open tables: 1024 Queries per second avg: 6.038
--------------
- 客户端B:MySQLserver; IP:192.168.24.38;使用skip ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2601
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(ssl@192.168.48.168) 11:11:55 [(none)]> \s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 2601
Current database:
Current user: ssl@192.168.24.38
SSL: Not in use --表示为只用ssl
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 49 min 56 sec
Threads: 2 Questions: 18098 Slow queries: 0 Opens: 9366 Flush tables: 1 Open tables: 1024 Queries per second avg: 6.040
- 强制用户使用ssl登录
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
mysql> alter user 'ssl'@'%' require ssl;
Query OK, 0 rows affected (0.00 sec)
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
ERROR 1045 (28000): Access denied for user 'ssl'@'192.168.24.38' (using password: YES) --禁用了SSL就无法登录了
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3023
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(ssl@192.168.48.168) 11:20:00 [(none)]> \s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 3023
Current database:
Current user: ssl@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 58 min 10 sec
Threads: 2 Questions: 21080 Slow queries: 0 Opens: 10700 Flush tables: 1 Open tables: 1024Queries per second avg: 6.040
--------------
2. 开启证书认证(5.7.18)
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
mysql> create user 'sslcatti'@'%' identified by 'sslcatti';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'sslcatti'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> alter user 'sslcatti'@'%' require x509; -- 启用证书认证
Query OK, 0 rows affected (0.00 sec)
mysql> select ssl_type from mysql.user where user='sslcatti';
+----------+
| ssl_type |
+----------+
| X509 |
+----------+
1 row in set (0.00 sec)
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'sslcatti'@'192.168.24.38' (using password: YES)
-- 即使默认开启了ssl,也是无法登录的
- 把pem文件拷贝到客服端B
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# pwd
/r2/soft/dbtest/mysql-5.7.18/mysqldata
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# scp client-cert.pem client-key.pem root@192.168.24.38:~/
The authenticity of host '192.168.24.38 (192.168.24.38)' can't be established.
ECDSA key fingerprint is 06:c0:78:4d:99:10:db:76:9f:78:92:ac:ab:cb:a7:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.24.38' (ECDSA) to the list of known hosts.
root@192.168.24.38's password:
client-cert.pem 100% 1078 1.1KB/s 00:00
client-key.pem 100% 1679 1.6KB/s 00:00
- 客户端用证书登录
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# ll |grep pem
-rw-r--r-- 1 root root 1078 Nov 28 11:34 client-cert.pem
-rw------- 1 root root 1679 Nov 28 11:34 client-key.pem
[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti --ssl-cert=./client-cert.pem --ssl-key=./client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3868
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(sslcatti@192.168.48.168) 11:36:28 [(none)]> \s;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 3868
Current database:
Current user: sslcatti@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA --使用加密方式登录,且通过证书,因为这个用户
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 1 hour 14 min 31 sec
Threads: 1 Questions: 27036 Slow queries: 0 Opens: 13349 Flush tables: 1 Open tables: 1024Queries per second avg: 6.046
--------------
007:MySQL SSL的更多相关文章
- Mysql 告警 :Establishing SSL connection without server's identity verification is not recommended.
在集成spring与mybatis是,在spring.xml中配置了DataSource配置,数据库连接采用的是mysql的链接字符串: jdbc:mysql://localhost:3306/wor ...
- java运行jdk连接mysql出现了:Establishing SSL connection without server's identity verification is not recommended
注意:出现这类提示也不会影响对数据库的增删改查操作,所以不用紧张.. 在运行练习时出现下面的错误信息提示: Establishing SSL connection without server's i ...
- java链接Mysql出现警告:Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by
Java使用mysql-jdbc连接MySQL出现如下警告: Establishing SSL connection without server's identity verification is ...
- MySQL:MySQL的基本操作
1.数据库登录 格式:mysql -h主机地址 -u用户名 -p用户密码 -P端口 -D数据库 -e “SQL内容” [root@wulaoer ~]# mysql -uroot -p 2.修改密码 ...
- mysql+ssl主从复制
一.作为主服务器Master, 会把自己的每一次改动都记录到 二进制日志 Binarylog 中. (从服务器I/O thread会负责来读取master binary log, 然后写入自身rela ...
- Mysql漂流系列(一):MySQL的执行流程
MySQL的执行流程 MySQL的执行流程: MySQL的执行流程分析: 1.当我们请求mysql服务器的时候,MySQL前端会有一个监听,请求到了之后,服务器得到相关的SQL语句,执行之前(虚线部分 ...
- linux学习之centos(三):mysql数据库的安装和配置
前言:mysql简介 说到数据库,我们大多想到的是关系型数据库,比如mysql.oracle.sqlserver等等,这些数据库软件在windows上安装都非常的方便,在Linux上如果要安装数据库, ...
- zabbix准备:mysql安装
php在编译时需要mysql的配置,这样PHP远程连接mysql才有用.1.创建mysql用户和相关目录(配置文件里设置的目录) groupadd mysql useradd -g mysql -M ...
- MySql(五):MySQL数据库安全管理
一.前言 对于任何一个企业来说,其数据库系统中所保存数据的安全性无疑是非常重要的,尤其是公司的有些商业数据,可能数据就是公司的根本. 失去了数据,可能就失去了一切 本章将针对mysql的安全相关内容进 ...
随机推荐
- jinfo用法说明
以下几种用法 -flags pid :打印当前VM的参数 -flag <name> pid:打印指定JVM的参数值 -flag [+|-]<name> pid:设置指定JVM参 ...
- Deepgreen DB简介(转)
原文链接 Deepgreen DB 全称 Vitesse Deepgreen DB,它是一个可扩展的大规模并行(通常称为MPP)数据仓库解决方案,起源于开源数据仓库项目Greenplum DB(通 ...
- Linux:运行级别,root密码重置,救援模式,安装图形化界面
运行级别,root密码重置,救援模式,安装图形界面 运行级别 1.查看当前系统的运行级别 runlevel 2.认识各个运行级别以及开机自启运行级别 Linux系统运行级别共7个执行 vi /etc/ ...
- React之组件
鉴于个人的开发习惯,我将react默认的文件结构作了如下修改: 我们的项目是写在src目录下的. 那么,接下来,继续看react的组件式如何编写的吧. 一.react的组件 不同于vue的每个组件都是 ...
- python删除list中元素的三种方法
a.pop(index):删除列表a中index处的值,并且返回这个值. del(a[index]):删除列表a中index处的值,无返回值. del中的index可以是切片,所以可以实现批量删除. ...
- [Python] dict字典排序和多条件排序
利用lambda实现排序:要实现多条件排序,只需要依次指定排序的标准,具体实现如下 counter = {'是': 1, '不是': 1, '你': 3} counter_list = sorted( ...
- Linux 大文件的分割与合并
1.分割 -- split命令 可以指定按行数分割和按字节大小分割两种模式. (1) 按行数分割 $ large_file.txt new_file_prefix 加上-d,使用数字后缀:加上--ve ...
- mdev USB disk auto mount demo
/********************************************************************* * mdev USB disk auto mount de ...
- 【剑指offer】栈的压入弹出序列,C++实现(举例)
原创文章,转载请注明出处! 本题牛客网地址 博客文章索引地址 博客文章中代码的github地址 1.题目 输入两个整数序列,第一个序列表示栈的压入顺序,请判断第二个序列是否为第一个序列的出栈序列.注意 ...
- appium python实例脚本1
#coding=utf-8import os, time, unittestfrom appium import webdriver PATH = lambda p:os.path.abspath(o ...