mysql5.7上开启并配置ssl

[root@mysqlmaster01 bin]# ./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --user=mysqlnode

Generating a 2048 bit RSA private key

............................................................................+++

............+++

writing new private key to 'ca-key.pem'

-----

Generating a 2048 bit RSA private key

.......................+++

..........................+++

writing new private key to 'server-key.pem'

-----

Generating a 2048 bit RSA private key

...........+++

..........+++

writing new private key to 'client-key.pem'

-----mysql

查看linux

mysql> show variables like '%ssl%';

+---------------+-----------------+

| Variable_name | Value |

+---------------+-----------------+

| have_openssl | DISABLED |

| have_ssl | DISABLED |

| ssl_ca | ca.pem |

| ssl_capath | |

| ssl_cert | server-cert.pem |

| ssl_cipher | |

| ssl_crl | |

| ssl_crlpath | |

| ssl_key | server-key.pem |

+---------------+-----------------+

9 rows in set (0.01 sec)sql

(SSL仍是没有启用)数据库

解决办法:把数据目录下.pem的文件,属主和属组改为mysql服务器

[root@mysqlmaster01 mysql_data1]# chown -R mysql.mysql *.pemapp

而后重启服务ide

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi stop 1工具

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi start 1

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi report

Reporting MySQL servers

MySQL server from group: mysqld1 is running

[root@mysqlmaster01 mysql_data1]# mysql --login-path=mysql1 -e "show variables like 'have%ssl%';"

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl | YES |

| have_ssl | YES |

+---------------+-------+

(说明ssl已经启用咯)

[root@mysqlmaster01 mysql_data1]# ll *.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 ca-key.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 ca.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 client-cert.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 client-key.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 private_key.pem

-rw-r--r--. 1 mysql mysql 451 Nov 24 11:14 public_key.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 server-cert.pem

-rw-------. 1 mysql mysql 1675 Nov 24 11:14 server-key.pem

如何经过ssl进行链接

[root@mysqlmaster01 mysql_data2]# mysql -u ssl -p -h 10.2.11.226 --ssl-cert=/data/mysql_data2/client-cert.pem --ssl-key=/data/mysql_data2/client-key.pem -P 3307

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 15

Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q

(默认若是受权没有作任何限制,用户既能够经过秘钥登陆,也能够经过用户名和密码登陆)

用户受权规定只能经过ssl方式登陆

mysql> create user 'tom'@'10.2.11.%' identified by 'Aa123456';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'tom'@'10.2.11.%' require ssl;

Query OK, 0 rows affected, 1 warning (0.00 sec)

测试

[root@mysqlmaster01 ~]# mysql -u tom -p -h 10.2.11.226 --ssl-mode 'REQUIRED' -P 3306

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

mysql>

mysql> \s

--------------

mysql Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using EditLine wrapper

Connection id: 25

Current database:

Current user: tom@10.2.11.226

SSL: Cipher in use is DHE-RSA-AES256-SHA

Current pager: stdout

Using outfile: ''

Using delimiter: ;

Server version: 5.7.20-log MySQL Community Server (GPL)

Protocol version: 10

Connection: 10.2.11.226 via TCP/IP

Server characterset: latin1

Db characterset: latin1

Client characterset: utf8

Conn. characterset: utf8

TCP port: 3306

Uptime: 1 hour 34 min 11 sec

Threads: 2 Questions: 56 Slow queries: 0 Opens: 124 Flush tables: 1 Open tables: 117 Queries per second avg: 0.009

--------------

 若是不只须要ssl还须要秘钥,那么怎么操做呢?

mysql> alter user 'tom'@'10.2.11.%' require x509;

Query OK, 0 rows affected (0.01 sec)

或者新建一个用户,要求ssl+秘钥登陆

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509;

Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> grant all on *.* to 'test'@'10.2.18.%' identified by 'Aa123456' require x509;

Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

 测试登陆:

[root@mysqlmaster01 mysql_data1]# mysql -u test -p -h 10.2.11.226 -P 3306 --ssl

WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.

Enter password:

ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

(发现经过ssl登陆不了)

mysql5.6上开启并配置ssl

一、加密链接服务端配置

 [mysqld]

ssl-ca=ca.pem

ssl-cert=server-cert.pem

ssl-key=server-key.pem

说明:

ss-ca:证书颁发机构(CA)证书文件的路径名

ssl-cert:服务器公钥证书文件的路径名。这能够发送到客户端,并经过CA证书进行身份验证。

ssl-key:服务器的私钥证书文件的路径名

二、客户端使用ssl

案例:

mysql  --ssl-ca=ca.pem  --ssl-cert=client-cert.pem  --ssl-key=client-key.pem



经过openssl 制做生成 SSL 证书

[root@mysqlmaster01 CA]# touch index.txt

[root@mysqlmaster01 CA]# echo 01>serial

建立CA证书

[root@server mysql56]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

...............................................+++

......................................................................................................................+++

e is 65537 (0x10001)

[root@server mysql56]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:ca.test.com

Email Address []:

[root@server mysql56]# ll *.pem

-rw-r--r--. 1 root root 1679 Nov 24 15:15 ca-key.pem

-rw-r--r--. 1 root root 1314 Nov 24 15:16 ca.pem

建立服务器证书

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

Generating a 2048 bit RSA private key

......................................................+++

.........................+++

writing new private key to 'server-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:server.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@server mysql56]# openssl rsa -in server-key.pem -out server-key.pem

writing RSA key

[root@server mysql56]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Signature ok

subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=server.test.com

Getting CA Private Key

建立客户端证书

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

Generating a 2048 bit RSA private key

.+++

...............................................+++

writing new private key to 'client-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:client.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@server mysql56]# openssl rsa -in client-key.pem -out client-key.pem

writing RSA key

[root@server mysql56]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem

Signature ok

subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=client.test.com

Getting CA Private Key

检测:

[root@mysqlmaster01 mysql56]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

server-cert.pem: OK

client-cert.pem: OK

说明:

    ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)

    server-cert.pem, server-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.

    client-cert.pem, client-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.

[root@mysqlmaster01 mysql56]# chown -R mysql.mysql *.pem (更改属主和属组)

编写my.cnf文件,在【mysqld】下填写

ssl-ca=/data/mysql56/ca.pem

ssl-cert=/data/mysql56/server-cert.pem

ssl-key=/data/mysql56/server-key.pem

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509; (受权test用户经过ssl+秘钥登陆)

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308

Enter password:

ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

 (直接用密码登陆错误)

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 -ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem

mysql: [ERROR] mysql: unknown option '-l'

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem

Enter password:

ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=/data/mysql56/client-cert.pem --ssl-key=/data/mysql56/client-key.pem

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 5

Server version: 5.6.38-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

(若是要在其余电脑上经过ssl登陆该机器的数据库,必需要ca.pem,client-cert.pem,client-key.pem拷贝到其余电脑上,而后配置链接数据库的工具使用ssl)

mysql 5.6 另一篇文章设置SSL

与5.7使用 mysql_ssl_rsa_setup 自动生成秘匙不同,5.6需要通过openssl命令来生成秘匙

创建一个 certs 文件用于放秘匙

我放在了datadir目录下 mkdir certs && cd certs

首先生成所需 key

CA

「主要命令」openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem小提示:CA的Country Name要与server/client的Country Name不同,否则 Verify这步会出现错误,出现类似 error 18 at 0 depth lookup:self signed certificate的错误

[[email protected] certs]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

......................................................+++

........+++

e is 65537 (0x10001)

[[email protected] certs]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CH

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:WDT

Organizational Unit Name (eg, section) []:wdt

Common Name (eg, your name or your server's hostname) []:fxr

Email Address []:test

[[email protected] certs]# ll

total 8

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

server

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

# 创建成功后目录下变成4个文件

[[email protected] certs]# ll

total 16

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

-rw-r--r-- 1 root root 1704 Feb 27 10:49 server-key.pem

-rw-r--r-- 1 root root 1050 Feb 27 10:49 server-req.pem

[[email protected] certs]# openssl rsa -in server-key.pem -out server-key.pem

[[email protected] certs]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# 这是会提示验证成功,目录下多了一个 `server-cert.pem` 文件

Client

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

#成功后多出`client-key.pem` 和 `client-req.pem` 两个文件

[[email protected] certs]# openssl rsa -in client-key.pem -out client-key.pem

[[email protected] certs]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# 成功后多出`client-cert.pem` 一个文件

Verify

「主要命令」openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

[[email protected] certs]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

`server-cert.pem` 和 `client-cert.pem` 提示Ok

「配置my.cnf文件」xxx 请改成该文件的全路径

[mysqld]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/server-cert.pem

ssl-key=xxx/server-key.pem

[client]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/client-cert.pem

ssl-key=xxx/client-key.pem

然后创建一个用户,并设置其使用SSL连接

mysql> CREATE USER 'ssluser'@'%' identified by '123';

mysql> GRANT USAGE ON *.* TO 'ssluser'@'%' identified by '123' require ssl;

mysql> FLUSH PRIVILEGES;

重启下mysql服务,然后通过以下命令连接

[[email protected] certs]# mysql -ussluser -p --ssl-ca=/data/mysql/data/certs/ca.pem --ssl-cert=/data/mysql/data/certs/client-cert.pem --ssl-key=/data/mysql/data/certs/client-key.pem

进入mysql后输入 SHOW STATUS LIKE 'Ssl_cipher';

+---------------+--------------------+

| Variable_name | Value |

+---------------+--------------------+

| Ssl_cipher | DHE-RSA-AES256-SHA |

+---------------+--------------------+中途因为 –ssl-ca后面的路径输入错误,导致 SSL connection error: SSL_CTX_set_default_verify_paths failed 的错误

MySQL5.6 & 5.7 配置 SSL的更多相关文章

  1. Windows下Nginx配置SSL实现Https访问(包含证书生成)

    Vincent.李   Windows下Nginx配置SSL实现Https访问(包含证书生成) Windows下Nginx配置SSL实现Https访问(包含证书生成) 首先要说明为什么要实现https ...

  2. Tomcat:配置SSL

    SSL简述 SSL就是安全套接字层,是一种允许web浏览器和 web服务器通过安全连接通信的技术.这是一个双向的过程,这意味着 服务器和浏览器在发送数据之前加密所有交流的数据. SSL有一个重要的特点 ...

  3. Apache安装及配置ssl

    目录 1.windows安装 软件准备 安装apache 开启ssl(Https访问) 打开httpd.conf,解除下面配置的注释 查看ssl模块使用哪一个配置文件 配置https虚拟主机 简单配置 ...

  4. CentOS7下安装MySQL5.7安装与配置(转)

    原文地址:http://www.centoscn.com/mysql/2016/0626/7537.html 安装环境:CentOS7 64位 MINI版,安装MySQL5.7 1.配置YUM源 在M ...

  5. MySQL5.7安装与配置(YUM)

    安装环境:CentOS7 64位,MySQL5.7 1.配置YUM源 在MySQL官网中下载YUM源rpm安装包:http://dev.mysql.com/downloads/repo/yum/  # ...

  6. Nginx 下配置SSL证书的方法

    1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...

  7. Tomcat 7.0配置SSL的问题及解决办法

    http://dong-shuai22-126-com.iteye.com/blog/1830209   以前一直在用Tomcat 6.0.29版本,今下载了apache-tomcat-7.0.33- ...

  8. nginx配置ssl

    1.使用pfx证书配置ssl (http://www.heartlifes.com/archives/12/) .上传证书 .生成证书crt及key文件 openssl pkcs12 -in /usr ...

  9. 单点登录CAS使用记(一):前期准备以及为CAS-Server配置SSL协议

    知识点: SSO:单点登录(Single Sign On),是目前比较流行的企业业务整合的解决方案之一.SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统. CAS:耶 ...

随机推荐

  1. 【python基础】第19回 多层,有参装饰器 递归 二分法

    本章内容概要 1. 多层装饰器 2. 有参装饰器 3. 递归函数 4. 算法(二分法) 本章内容详解 1. 多层装饰器 1.1 什么是多层装饰器 多层装饰器是从下往上依次执行,需要注意的是,被装饰的函 ...

  2. 当在命令行输入"pip install xxx"

    当输入"pip install xxx"时发生了什么 不知道你在下载一些包的时候有没有什么疑惑,输入了"pip install xxx" ,系统是如何找到对应的 ...

  3. Mybatis整合第三方缓存

    1) 为了提高扩展性.MyBatis定义了缓存接口Cache.我们可以通过实现Cache接口来自定义二级缓存 2) EhCache 是一个纯Java的进程内缓存框架,具有快速.精干等特点. 3) 整合 ...

  4. ajax传递参数与controller接收参数映射关系

    将ajax的参数传递至后台controller时,data 中的参数名要与controller中的形参保持一致. 前端ajax代码: 1 $.ajax({ 2 url:"/doLogin&q ...

  5. Java之struts2框架学习

    Java之struts2框架学习 About Struts2 Struts也是一款MVC框架 , Struts2是Struts的下一代产品,是在Struts1和WebWork的技术基础上进行了合并的全 ...

  6. 可视化查询(sp_helptext)——快速查询包含指定字符串的存储过程(附源码)

    前言 在开发中,随着业务逻辑的调整,修改存储过程是必不可免的. 那怎么定位到需要修改的存储过程呢?一个一个的点开查询?存储过程少的话还行,一旦存储过程过多,这样是很浪费时间的,一个不注意还会遗漏掉. ...

  7. 串口应用:遵循uart协议发送N位数据(状态优化为3个,适用任意长度的输入数据,取寄存器中的一段(用变量作为边界))

    上一节中成功实现了发送多个字节的数据.把需要发送的数据分成多段遵循uart协议的数据依次发送.上一节是使用状态机实现的,每发一次设定为一个状态,所以需要发送的数据越多,状态的个数越多,代码越长,因而冗 ...

  8. js基础学习-数组

    let arr1 = [ {name: 1} ] let arr2 = [ {age: 23} ] let ages = [11, 22, 23] let newArr = arr1.concat(a ...

  9. 人理解迭代,神则体会递归,从电影艺术到Python代码实现神的逆向思维模式

    原文转载自「刘悦的技术博客」https://v3u.cn/a_id_186 "从来如此,便对么?",鲁迅先生在<狂人日记>中借狂人之口在月光下发出的质疑与呐喊,是的,从 ...

  10. Mybatis 缓存原理

    Mybatis 缓存原理 本文来自拉钩 java 高薪训练营,如果文章写的不好,看不懂可以找我要课程视频,不收费. 只愿在编程道路上,寻求志同道合的码友.v:15774135883 1 Mybatis ...