mysql5.7上开启并配置ssl

[root@mysqlmaster01 bin]# ./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --user=mysqlnode

Generating a 2048 bit RSA private key

............................................................................+++

............+++

writing new private key to 'ca-key.pem'

-----

Generating a 2048 bit RSA private key

.......................+++

..........................+++

writing new private key to 'server-key.pem'

-----

Generating a 2048 bit RSA private key

...........+++

..........+++

writing new private key to 'client-key.pem'

-----mysql

查看linux

mysql> show variables like '%ssl%';

+---------------+-----------------+

| Variable_name | Value |

+---------------+-----------------+

| have_openssl | DISABLED |

| have_ssl | DISABLED |

| ssl_ca | ca.pem |

| ssl_capath | |

| ssl_cert | server-cert.pem |

| ssl_cipher | |

| ssl_crl | |

| ssl_crlpath | |

| ssl_key | server-key.pem |

+---------------+-----------------+

9 rows in set (0.01 sec)sql

(SSL仍是没有启用)数据库

解决办法:把数据目录下.pem的文件,属主和属组改为mysql服务器

[root@mysqlmaster01 mysql_data1]# chown -R mysql.mysql *.pemapp

而后重启服务ide

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi stop 1工具

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi start 1

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi report

Reporting MySQL servers

MySQL server from group: mysqld1 is running

[root@mysqlmaster01 mysql_data1]# mysql --login-path=mysql1 -e "show variables like 'have%ssl%';"

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl | YES |

| have_ssl | YES |

+---------------+-------+

(说明ssl已经启用咯)

[root@mysqlmaster01 mysql_data1]# ll *.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 ca-key.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 ca.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 client-cert.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 client-key.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 private_key.pem

-rw-r--r--. 1 mysql mysql 451 Nov 24 11:14 public_key.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 server-cert.pem

-rw-------. 1 mysql mysql 1675 Nov 24 11:14 server-key.pem

如何经过ssl进行链接

[root@mysqlmaster01 mysql_data2]# mysql -u ssl -p -h 10.2.11.226 --ssl-cert=/data/mysql_data2/client-cert.pem --ssl-key=/data/mysql_data2/client-key.pem -P 3307

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 15

Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q

(默认若是受权没有作任何限制,用户既能够经过秘钥登陆,也能够经过用户名和密码登陆)

用户受权规定只能经过ssl方式登陆

mysql> create user 'tom'@'10.2.11.%' identified by 'Aa123456';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'tom'@'10.2.11.%' require ssl;

Query OK, 0 rows affected, 1 warning (0.00 sec)

测试

[root@mysqlmaster01 ~]# mysql -u tom -p -h 10.2.11.226 --ssl-mode 'REQUIRED' -P 3306

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

mysql>

mysql> \s

--------------

mysql Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using EditLine wrapper

Connection id: 25

Current database:

Current user: tom@10.2.11.226

SSL: Cipher in use is DHE-RSA-AES256-SHA

Current pager: stdout

Using outfile: ''

Using delimiter: ;

Server version: 5.7.20-log MySQL Community Server (GPL)

Protocol version: 10

Connection: 10.2.11.226 via TCP/IP

Server characterset: latin1

Db characterset: latin1

Client characterset: utf8

Conn. characterset: utf8

TCP port: 3306

Uptime: 1 hour 34 min 11 sec

Threads: 2 Questions: 56 Slow queries: 0 Opens: 124 Flush tables: 1 Open tables: 117 Queries per second avg: 0.009

--------------

 若是不只须要ssl还须要秘钥,那么怎么操做呢?

mysql> alter user 'tom'@'10.2.11.%' require x509;

Query OK, 0 rows affected (0.01 sec)

或者新建一个用户,要求ssl+秘钥登陆

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509;

Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> grant all on *.* to 'test'@'10.2.18.%' identified by 'Aa123456' require x509;

Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

 测试登陆:

[root@mysqlmaster01 mysql_data1]# mysql -u test -p -h 10.2.11.226 -P 3306 --ssl

WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.

Enter password:

ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

(发现经过ssl登陆不了)

mysql5.6上开启并配置ssl

一、加密链接服务端配置

 [mysqld]

ssl-ca=ca.pem

ssl-cert=server-cert.pem

ssl-key=server-key.pem

说明:

ss-ca:证书颁发机构(CA)证书文件的路径名

ssl-cert:服务器公钥证书文件的路径名。这能够发送到客户端,并经过CA证书进行身份验证。

ssl-key:服务器的私钥证书文件的路径名

二、客户端使用ssl

案例:

mysql  --ssl-ca=ca.pem  --ssl-cert=client-cert.pem  --ssl-key=client-key.pem



经过openssl 制做生成 SSL 证书

[root@mysqlmaster01 CA]# touch index.txt

[root@mysqlmaster01 CA]# echo 01>serial

建立CA证书

[root@server mysql56]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

...............................................+++

......................................................................................................................+++

e is 65537 (0x10001)

[root@server mysql56]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:ca.test.com

Email Address []:

[root@server mysql56]# ll *.pem

-rw-r--r--. 1 root root 1679 Nov 24 15:15 ca-key.pem

-rw-r--r--. 1 root root 1314 Nov 24 15:16 ca.pem

建立服务器证书

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

Generating a 2048 bit RSA private key

......................................................+++

.........................+++

writing new private key to 'server-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:server.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@server mysql56]# openssl rsa -in server-key.pem -out server-key.pem

writing RSA key

[root@server mysql56]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Signature ok

subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=server.test.com

Getting CA Private Key

建立客户端证书

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

Generating a 2048 bit RSA private key

.+++

...............................................+++

writing new private key to 'client-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:client.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@server mysql56]# openssl rsa -in client-key.pem -out client-key.pem

writing RSA key

[root@server mysql56]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem

Signature ok

subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=client.test.com

Getting CA Private Key

检测:

[root@mysqlmaster01 mysql56]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

server-cert.pem: OK

client-cert.pem: OK

说明:

    ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)

    server-cert.pem, server-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.

    client-cert.pem, client-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.

[root@mysqlmaster01 mysql56]# chown -R mysql.mysql *.pem (更改属主和属组)

编写my.cnf文件,在【mysqld】下填写

ssl-ca=/data/mysql56/ca.pem

ssl-cert=/data/mysql56/server-cert.pem

ssl-key=/data/mysql56/server-key.pem

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509; (受权test用户经过ssl+秘钥登陆)

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308

Enter password:

ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

 (直接用密码登陆错误)

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 -ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem

mysql: [ERROR] mysql: unknown option '-l'

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem

Enter password:

ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=/data/mysql56/client-cert.pem --ssl-key=/data/mysql56/client-key.pem

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 5

Server version: 5.6.38-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

(若是要在其余电脑上经过ssl登陆该机器的数据库,必需要ca.pem,client-cert.pem,client-key.pem拷贝到其余电脑上,而后配置链接数据库的工具使用ssl)

mysql 5.6 另一篇文章设置SSL

与5.7使用 mysql_ssl_rsa_setup 自动生成秘匙不同,5.6需要通过openssl命令来生成秘匙

创建一个 certs 文件用于放秘匙

我放在了datadir目录下 mkdir certs && cd certs

首先生成所需 key

CA

「主要命令」openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem小提示:CA的Country Name要与server/client的Country Name不同,否则 Verify这步会出现错误,出现类似 error 18 at 0 depth lookup:self signed certificate的错误

[[email protected] certs]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

......................................................+++

........+++

e is 65537 (0x10001)

[[email protected] certs]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CH

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:WDT

Organizational Unit Name (eg, section) []:wdt

Common Name (eg, your name or your server's hostname) []:fxr

Email Address []:test

[[email protected] certs]# ll

total 8

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

server

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

# 创建成功后目录下变成4个文件

[[email protected] certs]# ll

total 16

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

-rw-r--r-- 1 root root 1704 Feb 27 10:49 server-key.pem

-rw-r--r-- 1 root root 1050 Feb 27 10:49 server-req.pem

[[email protected] certs]# openssl rsa -in server-key.pem -out server-key.pem

[[email protected] certs]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# 这是会提示验证成功,目录下多了一个 `server-cert.pem` 文件

Client

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

#成功后多出`client-key.pem` 和 `client-req.pem` 两个文件

[[email protected] certs]# openssl rsa -in client-key.pem -out client-key.pem

[[email protected] certs]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# 成功后多出`client-cert.pem` 一个文件

Verify

「主要命令」openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

[[email protected] certs]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

`server-cert.pem` 和 `client-cert.pem` 提示Ok

「配置my.cnf文件」xxx 请改成该文件的全路径

[mysqld]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/server-cert.pem

ssl-key=xxx/server-key.pem

[client]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/client-cert.pem

ssl-key=xxx/client-key.pem

然后创建一个用户,并设置其使用SSL连接

mysql> CREATE USER 'ssluser'@'%' identified by '123';

mysql> GRANT USAGE ON *.* TO 'ssluser'@'%' identified by '123' require ssl;

mysql> FLUSH PRIVILEGES;

重启下mysql服务,然后通过以下命令连接

[[email protected] certs]# mysql -ussluser -p --ssl-ca=/data/mysql/data/certs/ca.pem --ssl-cert=/data/mysql/data/certs/client-cert.pem --ssl-key=/data/mysql/data/certs/client-key.pem

进入mysql后输入 SHOW STATUS LIKE 'Ssl_cipher';

+---------------+--------------------+

| Variable_name | Value |

+---------------+--------------------+

| Ssl_cipher | DHE-RSA-AES256-SHA |

+---------------+--------------------+中途因为 –ssl-ca后面的路径输入错误,导致 SSL connection error: SSL_CTX_set_default_verify_paths failed 的错误

MySQL5.6 & 5.7 配置 SSL的更多相关文章

  1. Windows下Nginx配置SSL实现Https访问(包含证书生成)

    Vincent.李   Windows下Nginx配置SSL实现Https访问(包含证书生成) Windows下Nginx配置SSL实现Https访问(包含证书生成) 首先要说明为什么要实现https ...

  2. Tomcat:配置SSL

    SSL简述 SSL就是安全套接字层,是一种允许web浏览器和 web服务器通过安全连接通信的技术.这是一个双向的过程,这意味着 服务器和浏览器在发送数据之前加密所有交流的数据. SSL有一个重要的特点 ...

  3. Apache安装及配置ssl

    目录 1.windows安装 软件准备 安装apache 开启ssl(Https访问) 打开httpd.conf,解除下面配置的注释 查看ssl模块使用哪一个配置文件 配置https虚拟主机 简单配置 ...

  4. CentOS7下安装MySQL5.7安装与配置(转)

    原文地址:http://www.centoscn.com/mysql/2016/0626/7537.html 安装环境:CentOS7 64位 MINI版,安装MySQL5.7 1.配置YUM源 在M ...

  5. MySQL5.7安装与配置(YUM)

    安装环境:CentOS7 64位,MySQL5.7 1.配置YUM源 在MySQL官网中下载YUM源rpm安装包:http://dev.mysql.com/downloads/repo/yum/  # ...

  6. Nginx 下配置SSL证书的方法

    1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...

  7. Tomcat 7.0配置SSL的问题及解决办法

    http://dong-shuai22-126-com.iteye.com/blog/1830209   以前一直在用Tomcat 6.0.29版本,今下载了apache-tomcat-7.0.33- ...

  8. nginx配置ssl

    1.使用pfx证书配置ssl (http://www.heartlifes.com/archives/12/) .上传证书 .生成证书crt及key文件 openssl pkcs12 -in /usr ...

  9. 单点登录CAS使用记(一):前期准备以及为CAS-Server配置SSL协议

    知识点: SSO:单点登录(Single Sign On),是目前比较流行的企业业务整合的解决方案之一.SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统. CAS:耶 ...

随机推荐

  1. 如果一个promise永不resolve,会内存泄漏吗

    答:跟内存泄漏没有直接关系gc的策略不会改变,如果该promise没有被人引用,就会被gc掉.如果仍被引用,就不会被gc掉.即使一个promise,resolve或者reject了,但是它还被人引用, ...

  2. go-zero微服务实战系列(十、分布式事务如何实现)

    在分布式应用场景中,分布式事务问题是不可回避的,在目前流行的微服务场景下更是如此.比如在我们的商城系统中,下单操作涉及创建订单和库存扣减操作两个操作,而订单服务和商品服务是两个独立的微服务,因为每个微 ...

  3. mongodb 数据块迁移的源码分析

    1. 简介 上一篇我们聊到了mongodb数据块的基本概念,和数据块迁移的主要流程,这篇文章我们聊聊源码实现部分. 2. 迁移序列图 数据块迁移的请求是从配置服务器(config server)发给( ...

  4. 2022-7-23 pan小堂 Object与Final

    Object类 1.Object方法 public final native Class<?> getClass() 返回object运行时类 public native int hash ...

  5. 关于 CMS 垃圾回收器,你真的懂了吗?

    大家好,我是树哥. 前段时间有个小伙伴去面试,被问到了 CMS 垃圾回收器的详细内容,没答出来.实际上,CMS 垃圾回收器是回收器历史上很重要的一个节点,其开启了 GC 回收器关注 GC 停顿时间的历 ...

  6. 从零开始Blazor Server(2)--整合数据库

    开篇 上一篇文章我们留了个尾巴,没有把freesql整合进去,这篇文章我们来整合. 目前的思路呢,是做一个简单的四不像的RABC,也有用户.角色. 权限三部分. 但是其中每个用户只有一个角色,即用户和 ...

  7. 什么是WordPress

    首先,假设您没有WordPress的经验: 我将从基础开始. 在本教程中,我将回答问题:"什么是WordPress?" 在这篇文章中,我将说明您可以在哪里获得WordPress以及 ...

  8. 关于javascript中this

    ------------恢复内容开始------------ 1 var number = 5; 2 var obj = { 3 number: 3, 4 fn1: (function () { 5 ...

  9. CF242E XOR on Segment

    CF242E XOR on Segment codeforces 洛谷 关于异或,无法运用懒标记实现区间异或: 可以像trie树一样拆位,将每个值拆成二进制数,对此建相应个数的线段树. 0 1与 0异 ...

  10. 在 Linux 中安装 MongoDB 的流程

    下载 MongoDB官网下载社区版的安装包: 解压 上传至 Linux,安装位置自行选择.把压缩包解压到安装的目录下. 可重命名解压的文件夹名: mv mongodb-linux-x86_64-rhe ...