一. SSL安装

SSL(Secure Socket Layer)是维护Client - Server之间加密通讯的一套安全协议;

--默认ssl未开启

mysql> show variables like '%ssl%';

+---------------+----------+

| Variable_name | Value    |

+---------------+----------+

| have_openssl  | DISABLED |

| have_ssl      | DISABLED |

| ssl_ca        |          |

| ssl_capath    |          |

| ssl_cert      |          |

| ssl_cipher    |          |

| ssl_crl       |          |

| ssl_crlpath   |          |

| ssl_key       |          |

+---------------+----------+

9 rows in set (0.00 sec)

1. 开启SSL (5.7.18)

  • 环境说明

    • 服务端A:MySQLserver; IP:192.168.48.168;
    • 客户端B:MySQLserver; IP:192.168.24.38;
-- 服务端A:MySQLserver; IP:192.168.48.168;

[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# bin/mysql_ssl_rsa_setup --datadir=/r2/soft/dbtest/mysql-5.7.18/mysqldata --user=mysql --uid=mysql     --使用--uid后,就不需要chown mysql.mysql *.pem

Generating a 2048 bit RSA private key

..+++

......+++

writing new private key to 'ca-key.pem'

-----

Generating a 2048 bit RSA private key

..............................................................+++

...........................+++

writing new private key to 'server-key.pem'

-----

Generating a 2048 bit RSA private key

.............+++

................+++

writing new private key to 'client-key.pem'

-----

[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# ll mysqldata/|grep pem

-rw------- 1 mysql mysql       1675 11月 28 10:21 ca-key.pem

-rw-r--r-- 1 mysql mysql       1074 11月 28 10:21 ca.pem

-rw-r--r-- 1 mysql mysql       1078 11月 28 10:21 client-cert.pem   #客户端证书文件

-rw------- 1 mysql mysql       1679 11月 28 10:21 client-key.pem    #客户端私钥文件

-rw------- 1 mysql mysql       1675 11月 28 10:21 private_key.pem   #用于密钥交换的公钥

-rw-r--r-- 1 mysql mysql        451 11月 28 10:21 public_key.pem    #用户密钥交换的私钥

-rw-r--r-- 1 mysql mysql       1078 11月 28 10:21 server-cert.pem   #服务器端证书文件

-rw------- 1 mysql mysql       1675 11月 28 10:21 server-key.pem    #服务器端私钥文件

[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# mysqladmin -uroot -piforgot --socket=/r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock shutdown

2017-11-28T02:21:55.829485Z mysqld_safe mysqld from pid file /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysqldb.pid ended

[1]+  完成                  /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf

[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf &

[1] 159680

关于几个pem文件的用途说面,见官方文档,并搜索关键字private/public key-pair

  • 开始测试
  • 服务端A:MySQLserver; IP:192.168.48.168;


-- 服务端A:MySQLserver; IP:192.168.48.168;

mysql> show variables like "%ssl%";

+---------------+-----------------+

| Variable_name | Value           |

+---------------+-----------------+

| have_openssl  | YES             |  -- 已经支持SSL

| have_ssl      | YES             |

| ssl_ca        | ca.pem          |

| ssl_capath    |                 |

| ssl_cert      | server-cert.pem |  -- 公钥文件

| ssl_cipher    |                 |

| ssl_crl       |                 |

| ssl_crlpath   |                 |

| ssl_key       | server-key.pem  |  -- 私钥文件

+---------------+-----------------+

9 rows in set (0.00 sec)

mysql> \s  -- status

--------------

/r2/soft/dbtest/mysql-5.7.18/bin/mysql  Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using  EditLine wrapper

Connection id:		802

Current database:

Current user:		root@localhost

SSL:			Not in use       --此时本地socket登录,不用SSL

Current pager:		stdout

Using outfile:		''

Using delimiter:	;

Server version:		5.7.18-log MySQL Community Server (GPL)

Protocol version:	10

Connection:		Localhost via UNIX socket

Server characterset:	utf8

Db     characterset:	utf8

Client characterset:	utf8

Conn.  characterset:	utf8

UNIX socket:		/r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock

Uptime:			15 min 41 sec

Threads: 1  Questions: 5694  Slow queries: 0  Opens: 3439  Flush tables: 1  Open tables: 729  Queries per second avg: 6.051

--------------

--创建测试账号

mysql> create user 'ssl'@'%' identified by 'ssltest';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'ssl'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.01 sec)

mysql> show grants for 'ssl'@'%';

+------------------------------------------+

| Grants for ssl@%                         |

+------------------------------------------+

| GRANT ALL PRIVILEGES ON *.* TO 'ssl'@'%' |

+------------------------------------------+

1 row in set (0.00 sec)

mysql> select ssl_type from mysql.user where user='ssl';

+----------+

| ssl_type |

+----------+

|          |    --看到ssl_还没有配置

+----------+

1 row in set (0.00 sec)
  • 客户端B:MySQLserver; IP:192.168.24.38;默认使用ssl登录


[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest

mysql: [Warning] Using a password on the command line interface can be insecure.

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 2264

Server version: 5.7.18-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(ssl@192.168.48.168) 11:06:57 [(none)]> \s status;

--------------

mysql  Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using  EditLine wrapper

Connection id:		2264

Current database:

Current user:		ssl@192.168.24.38

SSL:			Cipher in use is DHE-RSA-AES256-SHA   --已经使用了ssl登录了

Current pager:		stdout

Using outfile:		''

Using delimiter:	;

Server version:		5.7.18-log MySQL Community Server (GPL)

Protocol version:	10

Connection:		192.168.48.168 via TCP/IP

Server characterset:	utf8

Db     characterset:	utf8

Client characterset:	utf8

Conn.  characterset:	utf8

TCP port:		3306

Uptime:			44 min 55 sec

Threads: 2  Questions: 16275  Slow queries: 0  Opens: 8527  Flush tables: 1  Open tables: 1024  Queries per second avg: 6.038

--------------
  • 客户端B:MySQLserver; IP:192.168.24.38;使用skip ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl

mysql: [Warning] Using a password on the command line interface can be insecure.

WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 2601

Server version: 5.7.18-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(ssl@192.168.48.168) 11:11:55 [(none)]> \s status;

--------------

mysql  Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using  EditLine wrapper

Connection id:		2601

Current database:

Current user:		ssl@192.168.24.38

SSL:			Not in use                  --表示为只用ssl

Current pager:		stdout

Using outfile:		''

Using delimiter:	;

Server version:		5.7.18-log MySQL Community Server (GPL)

Protocol version:	10

Connection:		192.168.48.168 via TCP/IP

Server characterset:	utf8

Db     characterset:	utf8

Client characterset:	utf8

Conn.  characterset:	utf8

TCP port:		3306

Uptime:			49 min 56 sec

Threads: 2  Questions: 18098  Slow queries: 0  Opens: 9366  Flush tables: 1  Open tables: 1024  Queries per second avg: 6.040
  • 强制用户使用ssl登录
--

-- 服务端A:MySQLserver; IP:192.168.48.168;

--

mysql> alter user 'ssl'@'%' require ssl;

Query OK, 0 rows affected (0.00 sec)


-

-  客户端B:MySQLserver; IP:192.168.24.38;

-

[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl

mysql: [Warning] Using a password on the command line interface can be insecure.

WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.

ERROR 1045 (28000): Access denied for user 'ssl'@'192.168.24.38' (using password: YES)  --禁用了SSL就无法登录了

[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest

mysql: [Warning] Using a password on the command line interface can be insecure.

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 3023

Server version: 5.7.18-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(ssl@192.168.48.168) 11:20:00 [(none)]> \s status;

--------------

mysql  Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using  EditLine wrapper

Connection id:		3023

Current database:

Current user:		ssl@192.168.24.38

SSL:			Cipher in use is DHE-RSA-AES256-SHA

Current pager:		stdout

Using outfile:		''

Using delimiter:	;

Server version:		5.7.18-log MySQL Community Server (GPL)

Protocol version:	10

Connection:		192.168.48.168 via TCP/IP

Server characterset:	utf8

Db     characterset:	utf8

Client characterset:	utf8

Conn.  characterset:	utf8

TCP port:		3306

Uptime:			58 min 10 sec

Threads: 2  Questions: 21080  Slow queries: 0  Opens: 10700  Flush tables: 1  Open tables: 1024Queries per second avg: 6.040

--------------

2. 开启证书认证(5.7.18)



--

-- 服务端A:MySQLserver; IP:192.168.48.168;

--

mysql> create user 'sslcatti'@'%' identified by 'sslcatti';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'sslcatti'@'%';

Query OK, 0 rows affected (0.00 sec)

mysql> alter user 'sslcatti'@'%' require x509; -- 启用证书认证

Query OK, 0 rows affected (0.00 sec)

mysql> select ssl_type from mysql.user where user='sslcatti';

+----------+

| ssl_type |

+----------+

| X509     |

+----------+

1 row in set (0.00 sec)


-

-  客户端B:MySQLserver; IP:192.168.24.38;

-

[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti

mysql: [Warning] Using a password on the command line interface can be insecure.

ERROR 1045 (28000): Access denied for user 'sslcatti'@'192.168.24.38' (using password: YES)

-- 即使默认开启了ssl,也是无法登录的
  • 把pem文件拷贝到客服端B
--

-- 服务端A:MySQLserver; IP:192.168.48.168;

--

[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# pwd

/r2/soft/dbtest/mysql-5.7.18/mysqldata

[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# scp client-cert.pem client-key.pem  root@192.168.24.38:~/

The authenticity of host '192.168.24.38 (192.168.24.38)' can't be established.

ECDSA key fingerprint is 06:c0:78:4d:99:10:db:76:9f:78:92:ac:ab:cb:a7:cc.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.24.38' (ECDSA) to the list of known hosts.

root@192.168.24.38's password:

client-cert.pem                                                          100% 1078     1.1KB/s   00:00

client-key.pem                                                           100% 1679     1.6KB/s   00:00
  • 客户端用证书登录
-

-  客户端B:MySQLserver; IP:192.168.24.38;

-

[root@node2 ~]# ll |grep pem

-rw-r--r--  1 root root   1078 Nov 28 11:34 client-cert.pem

-rw-------  1 root root   1679 Nov 28 11:34 client-key.pem

[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti --ssl-cert=./client-cert.pem  --ssl-key=./client-key.pem

mysql: [Warning] Using a password on the command line interface can be insecure.

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 3868

Server version: 5.7.18-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(sslcatti@192.168.48.168) 11:36:28 [(none)]> \s;

--------------

mysql  Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using  EditLine wrapper

Connection id:		3868

Current database:

Current user:		sslcatti@192.168.24.38

SSL:			Cipher in use is DHE-RSA-AES256-SHA   --使用加密方式登录,且通过证书,因为这个用户

Current pager:		stdout

Using outfile:		''

Using delimiter:	;

Server version:		5.7.18-log MySQL Community Server (GPL)

Protocol version:	10

Connection:		192.168.48.168 via TCP/IP

Server characterset:	utf8

Db     characterset:	utf8

Client characterset:	utf8

Conn.  characterset:	utf8

TCP port:		3306

Uptime:			1 hour 14 min 31 sec

Threads: 1  Questions: 27036  Slow queries: 0  Opens: 13349  Flush tables: 1  Open tables: 1024Queries per second avg: 6.046

--------------

007:MySQL SSL的更多相关文章

  1. Mysql 告警 :Establishing SSL connection without server's identity verification is not recommended.

    在集成spring与mybatis是,在spring.xml中配置了DataSource配置,数据库连接采用的是mysql的链接字符串: jdbc:mysql://localhost:3306/wor ...

  2. java运行jdk连接mysql出现了:Establishing SSL connection without server's identity verification is not recommended

    注意:出现这类提示也不会影响对数据库的增删改查操作,所以不用紧张.. 在运行练习时出现下面的错误信息提示: Establishing SSL connection without server's i ...

  3. java链接Mysql出现警告:Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by

    Java使用mysql-jdbc连接MySQL出现如下警告: Establishing SSL connection without server's identity verification is ...

  4. MySQL:MySQL的基本操作

    1.数据库登录 格式:mysql -h主机地址 -u用户名 -p用户密码 -P端口 -D数据库 -e “SQL内容” [root@wulaoer ~]# mysql -uroot -p  2.修改密码 ...

  5. mysql+ssl主从复制

    一.作为主服务器Master, 会把自己的每一次改动都记录到 二进制日志 Binarylog 中. (从服务器I/O thread会负责来读取master binary log, 然后写入自身rela ...

  6. Mysql漂流系列(一):MySQL的执行流程

    MySQL的执行流程 MySQL的执行流程: MySQL的执行流程分析: 1.当我们请求mysql服务器的时候,MySQL前端会有一个监听,请求到了之后,服务器得到相关的SQL语句,执行之前(虚线部分 ...

  7. linux学习之centos(三):mysql数据库的安装和配置

    前言:mysql简介 说到数据库,我们大多想到的是关系型数据库,比如mysql.oracle.sqlserver等等,这些数据库软件在windows上安装都非常的方便,在Linux上如果要安装数据库, ...

  8. zabbix准备:mysql安装

    php在编译时需要mysql的配置,这样PHP远程连接mysql才有用.1.创建mysql用户和相关目录(配置文件里设置的目录) groupadd mysql useradd -g mysql -M ...

  9. MySql(五):MySQL数据库安全管理

    一.前言 对于任何一个企业来说,其数据库系统中所保存数据的安全性无疑是非常重要的,尤其是公司的有些商业数据,可能数据就是公司的根本. 失去了数据,可能就失去了一切 本章将针对mysql的安全相关内容进 ...

随机推荐

  1. vue.js 源代码学习笔记 ----- instance index

    import { initMixin } from './init' import { stateMixin } from './state' import { renderMixin } from ...

  2. ETL学习整理 PostgreSQL

    ETL分别是“Extract”.“ Transform” .“Load”三个单词的首字母缩写也就是“抽取”.“转换”.“装载”,但我们日常往往简称其为数据抽取. ETL是BI/DW(商务智能/数据仓库 ...

  3. c# http操作类

    using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.N ...

  4. React-Native基础_4.View组件

    View组件 对应ios 的UIView android 中的view 使用要先导入View import { View } from 'react-native'; 使用就是View标签,可以添加S ...

  5. Windbg 调试工具32位/64位版本下载

    最新的Windbg调试工具32位/64位版本越来越不好下载了,这里通过CSDN的渠道给大家一个下载地址,帮助大家更好下载工具: https://github.com/EasyDarwin/Tools/ ...

  6. linux命令-xz

    tar.xz文件如何压缩解压xz是绝大数linux默认就带的一个压缩工具,压缩率很高. xz压缩文件方法 默认压缩等级是6.要设置压缩率加入参数 -0 到 -9调节压缩率. xz -z [文件名] 不 ...

  7. MySQL INFORMATION_SCHEMA 使用

    --查看创建的索引的CARDINALITY比率 --通常cardinality达到表数据的10%左右建索引会有意义--如果是一个组合索引,索引第一位的cardinality表示第一个列的cardina ...

  8. 拦截器springmvc防止表单重复提交【3】3秒后自动跳回首页【重点明白如何跳转到各自需要的页面没有实现 但是有思路】

    [1]定义异常类 [重点]:异常类有个多参数的构造函数public CmsException(String s, String... args),可以用来接受多个参数:如(“异常信息”,“几秒跳转”, ...

  9. GLSL 内建函数

    内建函数基本上可以分为一下三类: (1)它们使用一些简便的方式提供必要的硬件功能,如材质贴图.这些函数单独通过着色器是无法模拟出来的. (2)它们展示了一些可以常简单的写入的繁琐操作(clamp, m ...

  10. bzoj 4447 小凸解密码

    bzoj 4447 小凸解密码 先将原始状态的 \(B\) 处理出来,可以发现,若不修改,则每次指定的起始位置不同,对这个环 \(B\) 带来的影响只有 \(B_0\) 不同,即每次 \(B_0=A_ ...