mysql5.7上开启并配置ssl

[root@mysqlmaster01 bin]# ./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --user=mysqlnode

Generating a 2048 bit RSA private key

............................................................................+++

............+++

writing new private key to 'ca-key.pem'

-----

Generating a 2048 bit RSA private key

.......................+++

..........................+++

writing new private key to 'server-key.pem'

-----

Generating a 2048 bit RSA private key

...........+++

..........+++

writing new private key to 'client-key.pem'

-----mysql

查看linux

mysql> show variables like '%ssl%';

+---------------+-----------------+

| Variable_name | Value |

+---------------+-----------------+

| have_openssl | DISABLED |

| have_ssl | DISABLED |

| ssl_ca | ca.pem |

| ssl_capath | |

| ssl_cert | server-cert.pem |

| ssl_cipher | |

| ssl_crl | |

| ssl_crlpath | |

| ssl_key | server-key.pem |

+---------------+-----------------+

9 rows in set (0.01 sec)sql

(SSL仍是没有启用)数据库

解决办法:把数据目录下.pem的文件,属主和属组改为mysql服务器

[root@mysqlmaster01 mysql_data1]# chown -R mysql.mysql *.pemapp

而后重启服务ide

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi stop 1工具

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi start 1

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi report

Reporting MySQL servers

MySQL server from group: mysqld1 is running

[root@mysqlmaster01 mysql_data1]# mysql --login-path=mysql1 -e "show variables like 'have%ssl%';"

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl | YES |

| have_ssl | YES |

+---------------+-------+

(说明ssl已经启用咯)

[root@mysqlmaster01 mysql_data1]# ll *.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 ca-key.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 ca.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 client-cert.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 client-key.pem

-rw-------. 1 mysql mysql 1679 Nov 24 11:14 private_key.pem

-rw-r--r--. 1 mysql mysql 451 Nov 24 11:14 public_key.pem

-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 server-cert.pem

-rw-------. 1 mysql mysql 1675 Nov 24 11:14 server-key.pem

如何经过ssl进行链接

[root@mysqlmaster01 mysql_data2]# mysql -u ssl -p -h 10.2.11.226 --ssl-cert=/data/mysql_data2/client-cert.pem --ssl-key=/data/mysql_data2/client-key.pem -P 3307

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 15

Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q

(默认若是受权没有作任何限制,用户既能够经过秘钥登陆,也能够经过用户名和密码登陆)

用户受权规定只能经过ssl方式登陆

mysql> create user 'tom'@'10.2.11.%' identified by 'Aa123456';

Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'tom'@'10.2.11.%' require ssl;

Query OK, 0 rows affected, 1 warning (0.00 sec)

测试

[root@mysqlmaster01 ~]# mysql -u tom -p -h 10.2.11.226 --ssl-mode 'REQUIRED' -P 3306

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

mysql>

mysql> \s

--------------

mysql Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using EditLine wrapper

Connection id: 25

Current database:

Current user: tom@10.2.11.226

SSL: Cipher in use is DHE-RSA-AES256-SHA

Current pager: stdout

Using outfile: ''

Using delimiter: ;

Server version: 5.7.20-log MySQL Community Server (GPL)

Protocol version: 10

Connection: 10.2.11.226 via TCP/IP

Server characterset: latin1

Db characterset: latin1

Client characterset: utf8

Conn. characterset: utf8

TCP port: 3306

Uptime: 1 hour 34 min 11 sec

Threads: 2 Questions: 56 Slow queries: 0 Opens: 124 Flush tables: 1 Open tables: 117 Queries per second avg: 0.009

--------------

 若是不只须要ssl还须要秘钥,那么怎么操做呢?

mysql> alter user 'tom'@'10.2.11.%' require x509;

Query OK, 0 rows affected (0.01 sec)

或者新建一个用户,要求ssl+秘钥登陆

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509;

Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> grant all on *.* to 'test'@'10.2.18.%' identified by 'Aa123456' require x509;

Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

 测试登陆:

[root@mysqlmaster01 mysql_data1]# mysql -u test -p -h 10.2.11.226 -P 3306 --ssl

WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.

Enter password:

ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

(发现经过ssl登陆不了)

mysql5.6上开启并配置ssl

一、加密链接服务端配置

 [mysqld]

ssl-ca=ca.pem

ssl-cert=server-cert.pem

ssl-key=server-key.pem

说明:

ss-ca:证书颁发机构(CA)证书文件的路径名

ssl-cert:服务器公钥证书文件的路径名。这能够发送到客户端,并经过CA证书进行身份验证。

ssl-key:服务器的私钥证书文件的路径名

二、客户端使用ssl

案例:

mysql  --ssl-ca=ca.pem  --ssl-cert=client-cert.pem  --ssl-key=client-key.pem



经过openssl 制做生成 SSL 证书

[root@mysqlmaster01 CA]# touch index.txt

[root@mysqlmaster01 CA]# echo 01>serial

建立CA证书

[root@server mysql56]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

...............................................+++

......................................................................................................................+++

e is 65537 (0x10001)

[root@server mysql56]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:ca.test.com

Email Address []:

[root@server mysql56]# ll *.pem

-rw-r--r--. 1 root root 1679 Nov 24 15:15 ca-key.pem

-rw-r--r--. 1 root root 1314 Nov 24 15:16 ca.pem

建立服务器证书

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

Generating a 2048 bit RSA private key

......................................................+++

.........................+++

writing new private key to 'server-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:server.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@server mysql56]# openssl rsa -in server-key.pem -out server-key.pem

writing RSA key

[root@server mysql56]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Signature ok

subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=server.test.com

Getting CA Private Key

建立客户端证书

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

Generating a 2048 bit RSA private key

.+++

...............................................+++

writing new private key to 'client-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:shanghai

Locality Name (eg, city) [Default City]:shanghai

Organization Name (eg, company) [Default Company Ltd]:als

Organizational Unit Name (eg, section) []:ops

Common Name (eg, your name or your server's hostname) []:client.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@server mysql56]# openssl rsa -in client-key.pem -out client-key.pem

writing RSA key

[root@server mysql56]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem

Signature ok

subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=client.test.com

Getting CA Private Key

检测:

[root@mysqlmaster01 mysql56]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

server-cert.pem: OK

client-cert.pem: OK

说明:

    ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)

    server-cert.pem, server-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.

    client-cert.pem, client-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.

[root@mysqlmaster01 mysql56]# chown -R mysql.mysql *.pem (更改属主和属组)

编写my.cnf文件,在【mysqld】下填写

ssl-ca=/data/mysql56/ca.pem

ssl-cert=/data/mysql56/server-cert.pem

ssl-key=/data/mysql56/server-key.pem

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509; (受权test用户经过ssl+秘钥登陆)

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308

Enter password:

ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

 (直接用密码登陆错误)

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 -ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem

mysql: [ERROR] mysql: unknown option '-l'

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem

Enter password:

ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=/data/mysql56/client-cert.pem --ssl-key=/data/mysql56/client-key.pem

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 5

Server version: 5.6.38-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

(若是要在其余电脑上经过ssl登陆该机器的数据库,必需要ca.pem,client-cert.pem,client-key.pem拷贝到其余电脑上,而后配置链接数据库的工具使用ssl)

mysql 5.6 另一篇文章设置SSL

与5.7使用 mysql_ssl_rsa_setup 自动生成秘匙不同,5.6需要通过openssl命令来生成秘匙

创建一个 certs 文件用于放秘匙

我放在了datadir目录下 mkdir certs && cd certs

首先生成所需 key

CA

「主要命令」openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem小提示:CA的Country Name要与server/client的Country Name不同,否则 Verify这步会出现错误,出现类似 error 18 at 0 depth lookup:self signed certificate的错误

[[email protected] certs]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

......................................................+++

........+++

e is 65537 (0x10001)

[[email protected] certs]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CH

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:WDT

Organizational Unit Name (eg, section) []:wdt

Common Name (eg, your name or your server's hostname) []:fxr

Email Address []:test

[[email protected] certs]# ll

total 8

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

server

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

# 创建成功后目录下变成4个文件

[[email protected] certs]# ll

total 16

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

-rw-r--r-- 1 root root 1704 Feb 27 10:49 server-key.pem

-rw-r--r-- 1 root root 1050 Feb 27 10:49 server-req.pem

[[email protected] certs]# openssl rsa -in server-key.pem -out server-key.pem

[[email protected] certs]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# 这是会提示验证成功,目录下多了一个 `server-cert.pem` 文件

Client

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

#成功后多出`client-key.pem` 和 `client-req.pem` 两个文件

[[email protected] certs]# openssl rsa -in client-key.pem -out client-key.pem

[[email protected] certs]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# 成功后多出`client-cert.pem` 一个文件

Verify

「主要命令」openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

[[email protected] certs]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

`server-cert.pem` 和 `client-cert.pem` 提示Ok

「配置my.cnf文件」xxx 请改成该文件的全路径

[mysqld]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/server-cert.pem

ssl-key=xxx/server-key.pem

[client]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/client-cert.pem

ssl-key=xxx/client-key.pem

然后创建一个用户,并设置其使用SSL连接

mysql> CREATE USER 'ssluser'@'%' identified by '123';

mysql> GRANT USAGE ON *.* TO 'ssluser'@'%' identified by '123' require ssl;

mysql> FLUSH PRIVILEGES;

重启下mysql服务,然后通过以下命令连接

[[email protected] certs]# mysql -ussluser -p --ssl-ca=/data/mysql/data/certs/ca.pem --ssl-cert=/data/mysql/data/certs/client-cert.pem --ssl-key=/data/mysql/data/certs/client-key.pem

进入mysql后输入 SHOW STATUS LIKE 'Ssl_cipher';

+---------------+--------------------+

| Variable_name | Value |

+---------------+--------------------+

| Ssl_cipher | DHE-RSA-AES256-SHA |

+---------------+--------------------+中途因为 –ssl-ca后面的路径输入错误,导致 SSL connection error: SSL_CTX_set_default_verify_paths failed 的错误

MySQL5.6 & 5.7 配置 SSL的更多相关文章

  1. Windows下Nginx配置SSL实现Https访问(包含证书生成)

    Vincent.李   Windows下Nginx配置SSL实现Https访问(包含证书生成) Windows下Nginx配置SSL实现Https访问(包含证书生成) 首先要说明为什么要实现https ...

  2. Tomcat:配置SSL

    SSL简述 SSL就是安全套接字层,是一种允许web浏览器和 web服务器通过安全连接通信的技术.这是一个双向的过程,这意味着 服务器和浏览器在发送数据之前加密所有交流的数据. SSL有一个重要的特点 ...

  3. Apache安装及配置ssl

    目录 1.windows安装 软件准备 安装apache 开启ssl(Https访问) 打开httpd.conf,解除下面配置的注释 查看ssl模块使用哪一个配置文件 配置https虚拟主机 简单配置 ...

  4. CentOS7下安装MySQL5.7安装与配置(转)

    原文地址:http://www.centoscn.com/mysql/2016/0626/7537.html 安装环境:CentOS7 64位 MINI版,安装MySQL5.7 1.配置YUM源 在M ...

  5. MySQL5.7安装与配置(YUM)

    安装环境:CentOS7 64位,MySQL5.7 1.配置YUM源 在MySQL官网中下载YUM源rpm安装包:http://dev.mysql.com/downloads/repo/yum/  # ...

  6. Nginx 下配置SSL证书的方法

    1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...

  7. Tomcat 7.0配置SSL的问题及解决办法

    http://dong-shuai22-126-com.iteye.com/blog/1830209   以前一直在用Tomcat 6.0.29版本,今下载了apache-tomcat-7.0.33- ...

  8. nginx配置ssl

    1.使用pfx证书配置ssl (http://www.heartlifes.com/archives/12/) .上传证书 .生成证书crt及key文件 openssl pkcs12 -in /usr ...

  9. 单点登录CAS使用记(一):前期准备以及为CAS-Server配置SSL协议

    知识点: SSO:单点登录(Single Sign On),是目前比较流行的企业业务整合的解决方案之一.SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统. CAS:耶 ...

随机推荐

  1. get前言之版本控制-get和SVN的区别

    版本控制什么是版本控制版本控制(Revision control)是一种在开发的过程中用于管理我们对文件.目录或工程等内容的修改历史,方便查看更改历史记录,备份以便恢复以前的版本的软件工程技术. ~实 ...

  2. C语言整形转字符串的方法

    今天写力扣第九题,里面用到了这个,就做个笔记.   1. char *itoa( int value, char *string,int radix);(stdlib.h)     Windows特有 ...

  3. AI2(App Inventor 2) 离线版

    介绍 我们的目标:搭建一个本地多用户的App Inventor 2 服务器目的:课堂教学,社团活动,兴趣学习优势:管理权限(用户管理,账号切换,资源打包),网络链接速度快,拥有配套服务.注意:每次退出 ...

  4. echart图表中y轴小数位数过长展示效果不佳

    业务中后端返回的精密数据,小数过长,导致所有数据差距不大,在图表中显示重合为一条直线 解决方法设置echart的min属性 min: "dataMin", 但是设置了以后又出现了问 ...

  5. XML入门介绍

    目录 XML 简介 xml 语法 文档声明 (1)创建一个 xml 文件 (2)图书有 id 性 属性 一 表示唯一 标识,书名,有作者,价格的信息 xml 注释 元素(标签) 1)什么是 xml 元 ...

  6. 初次使用 eolink 感受

    最近总有前端小伙伴来找我抱怨,"后端接口出来太晚,影响我的任务进度"."后端接口改了也不通知我一下,到冒烟测试的时候报一堆的错".我拉后端小伙伴了解情况,结果问 ...

  7. MySQL客户端工具的使用与MySQL SQL语句

    MySQL客户端工具的使用 1.MySQL程序的组成 客户端 mysql:CLI交互式客户端程序 mycli:CLI交互式客户端程序;使用sql语句时会有提示信息 mysql_secure_insta ...

  8. HTTP配置

    目录 HTTP配置 虚拟主机 相同IP不同端口 不同IP相同端口 相同IP相同端口不同域名 Linux修改hosts文件 Windows修改hosts文件 配置https HTTP配置 虚拟主机 虚拟 ...

  9. 【面试题】为什么有时用Vue.use()?及Vue.use()的作用及原理是什么?

    Vue.use()的作用及原理 点击打开视频讲解 在Vue中引入使用第三方库通常我们都会采用import的形式引入进来 但是有的组件在引入之后又做了Vue.use()操作 有的组件引入进来又进行了Vu ...

  10. 让Python更优雅更易读(第一集)

    变量和注释 1.变量 在编写变量尽量要让其清晰只给,让人清除搞清楚代码的意图 下方两段代码作用完全一样,但第二段代码是不是更容易让人理解 value = s.strip() username = in ...