當前的Mysql 客戶端版本基本都不太能支持 caching_sha2_password 認證,使用Mysql 8.0 的話,建議添加參數:
default-authentication-plugin=mysql_native_password
否則可能導致客戶端連接失敗。以下的案例也是基於此。客戶端的不支持會導致不能反映真實結果。
當前數據庫中的用戶
root@(none):53: >select host,user,ssl_type,ssl_cipher,x509_issuer,x509_subject,plugin from mysql.user; +--------------+------------------+----------+------------+-------------+--------------+-----------------------+ | host | user | ssl_type | ssl_cipher | x509_issuer | x509_subject | plugin | +--------------+------------------+----------+------------+-------------+--------------+-----------------------+ | % | rep | | | | | mysql_native_password | | % | root | | | | | mysql_native_password | | % | test | | | | | mysql_native_password | | % | test1 | | | | | caching_sha2_password | | 192.168.20.% | cat | X509 | | | | mysql_native_password | | localhost | mysql.infoschema | | | | | caching_sha2_password | | localhost | mysql.session | | | | | caching_sha2_password | | localhost | mysql.sys | | | | | caching_sha2_password | | localhost | root | | | | | caching_sha2_password | +--------------+------------------+----------+------------+-------------+--------------+-----------------------+ 10 rows in set (0.00 sec)
require_secure_transport = OFF 模式
此為默認設置,該模式下用戶可以不通過ssl加密連接到數據庫
-- 不通過SSL連接方式 mysql -h mysql1 -utest -ptest --ssl-mode=DISABLED SSL: Not in use -- 通過SSL連接方式 mysql -h mysql1 -utest -ptest mysql -h mysql1 -utest -ptest --ssl-mode=PREFERRED mysql -h mysql1 -utest1 -ptest1 --ssl-mode=PREFERRED mysql -h mysql1 -utest1 -ptest1 --ssl-mode=REQUIRED SSL: Cipher in use is DHE-RSA-AES128-GCM-SHA256
navicate 只配置常規選項卡即可連接
連接之后為非加密模式
show status like 'ssl_cipher';
但我們同樣可以使用加密連接
require_secure_transport = ON 模式下
強制要求配置ssl
如果不使用SSL 連接會報錯,MySQL 命令行
-- 不使用SSL [root@mysql2 ~]# mysql -h mysql1 -utest -ptest --ssl-mode=disabled mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON. -- 使用SSL [root@mysql2 ~]# mysql -h mysql1 -utest -ptest mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17 Server version: 8.0.16 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show status like 'ssl_cipher'; +---------------+---------------------------+ | Variable_name | Value | +---------------+---------------------------+ | Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 | +---------------+---------------------------+ 1 row in set (0.01 sec)
SSL-MODE 有如下5中選項
'DISABLEDD'--不使用SSL加密
'PREFERRED','REQUIRED'--使用SSL 加密,加密算法沒差別
'VERIFY_CA','VERIFY_IDENTITY' --需附加--ssl-ca 等選項
PEM 的使用
官方文檔會推薦我們初始化Mysql 后執行如下命令
mysql_ssl_rsa_setup --datadir=datadir路徑,該命令會在數據目錄下生成如下這些文件。
那么該如何使用這些文件呢?
[root@mysql1 mydata1]# ll /u01/mydata1/*.pem -rw-------. 1 mysql mysql 1680 Jun 4 03:12 /u01/mydata1/ca-key.pem -rw-r--r--. 1 mysql mysql 1112 Jun 4 03:12 /u01/mydata1/ca.pem -rw-r--r--. 1 mysql mysql 1112 Jun 4 03:12 /u01/mydata1/client-cert.pem -rw-------. 1 mysql mysql 1680 Jun 4 03:12 /u01/mydata1/client-key.pem -rw-------. 1 mysql mysql 1676 Jun 4 03:12 /u01/mydata1/private_key.pem -rw-r--r--. 1 mysql mysql 452 Jun 4 03:12 /u01/mydata1/public_key.pem -rw-r--r--. 1 mysql mysql 1112 Jun 4 03:12 /u01/mydata1/server-cert.pem -rw-------. 1 mysql mysql 1680 Jun 4 03:12 /u01/mydata1/server-key.pem
創建用戶
root@(none):39: >create user cat@'192.168.20.%' identified with mysql_native_password by 'cat' require ssl; -- 這時要求該用戶必須使用SSL,即使參數require_secure_transport = OFF
root@(none):39: >grant all on *.* to cat@'192.168.20.%';
root@(none):39: >alter user cat@'192.168.20.%' require x509; -- 這里就要求使用pem 文件了
root@(none):39: >select host,user,ssl_type,ssl_cipher,x509_issuer,x509_subject,plugin from mysql.user where user='cat' \G
*************************** 1. row ***************************
host: 192.168.20.%
user: cat
ssl_type: X509
ssl_cipher:
x509_issuer:
x509_subject:
plugin: mysql_native_password
1 row in set (0.00 sec)
測試 SSL 常規連接,將會失敗
[root@mysql2 ~]# mysql -h mysql1 -ucat -pcat mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'cat'@'192.168.20.82' (using password: YES) [root@mysql2 ~]# mysql -h mysql1 -ucat -pcat --ssl-mode=PREFERRED mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'cat'@'192.168.20.82' (using password: YES)
復制pem文件
再想成功連接就需要使用到PEM 文件了,將server端pem 文件copy 到客戶端
#mysql1 [root@mysql1 mydata1]# scp client-cert.pem mysql2:/home/mysql client-cert.pem 100% 1112 873.8KB/s 00:00 [root@mysql1 mydata1]# scp client-key.pem mysql2:/home/mysql client-key.pem 100% 1680 169.9KB/s 00:00 #mysql2 [root@mysql2 ~]# ll /home/mysql total 8 -rw-r--r-- 1 root root 1112 Jul 14 09:43 client-cert.pem -rw------- 1 root root 1680 Jul 14 09:43 client-key.pem
使用pem,成功連接
[root@mysql2 ~]# mysql -h mysql1 -ucat -pcat --ssl-cert=/home/mysql/client-cert.pem --ssl-key=/home/mysql/client-key.pem mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 50 Server version: 8.0.16 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
--ssl-ca 參數也可以使用,同樣需要將server 段的ca.pem 復制到客戶端。如
[root@mysql2 ~]# mysql -h mysql1 -ucat -pcat --ssl-ca=/home/mysql/ca.pem --ssl-cert=/home/mysql/client-cert.pem --ssl-key=/home/mysql/client-key.pem
工具連接
需要下載server端的pem 文件到自己電腦,為連接工具指定pem文件位置方可連接到數據庫。
添加用戶需要重新copy pem 文件嗎?
-- 添加用戶 root@(none):09: >create user dog@'192.168.20.%' identified with mysql_native_password by 'dog' require x509; -- 使用x509 可以不指定require ssl,但仍會強制要求SSL Query OK, 0 rows affected (0.00 sec) root@(none):09: >grant all on *.* to dog@'192.168.20.%'; Query OK, 0 rows affected (0.01 sec)
添加新用戶,不用重新copy
-- 成功連接 [root@mysql2 ~]# mysql -h mysql1 -udog -pdog --ssl-cert=/home/mysql/client-cert.pem --ssl-key=/home/mysql/client-key.pem mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 13 Server version: 8.0.16 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
說明pem 文件在安裝好數據庫后是固定不變的。copy 到客戶端后可以永久使用,不受數據庫變更的影響。
服務端的pem 文件和ssl連接有關聯嗎?
#將所有的pem文件移動走 [root@mysql1 mydata1]# mkdir pemdefault [root@mysql1 mydata1]# mv *.pem pemdefault/ [root@mysql1 mydata1]# ll *.pem ls: cannot access *.pem: No such file or directory # 測試客戶端連接 [root@mysql2 ~]# mysql -h mysql1 -udog -pdog --ssl-cert=/home/mysql/client-cert.pem --ssl-key=/home/mysql/client-key.pem mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 35 Server version: 8.0.16 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
說明,服務端的*.pem文件被刪除並不影響客戶端的SSL 連接.
但是,如果重啟數據庫, 服務端會重新生成新的pem文件。
[root@mysql1 mydata1]# ll *.pem -rw------- 1 mysql mysql 1680 Jul 14 10:24 ca-key.pem -rw-r--r-- 1 mysql mysql 1112 Jul 14 10:24 ca.pem -rw-r--r-- 1 mysql mysql 1112 Jul 14 10:24 client-cert.pem -rw------- 1 mysql mysql 1680 Jul 14 10:24 client-key.pem -rw------- 1 mysql mysql 1676 Jul 14 10:24 private_key.pem -rw-r--r-- 1 mysql mysql 452 Jul 14 10:24 public_key.pem -rw-r--r-- 1 mysql mysql 1112 Jul 14 10:24 server-cert.pem -rw------- 1 mysql mysql 1680 Jul 14 10:24 server-key.pem
這時再遠程連接就報錯了
[root@mysql2 ~]# mysql -h mysql1 -udog -pdog --ssl-cert=/home/mysql/client-cert.pem --ssl-key=/home/mysql/client-key.pem mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 2026 (HY000): SSL connection error: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
重新copy pem文件到客戶端, 再次連接測試
#copy pem文件 [root@mysql1 mydata1]# scp client-cert.pem mysql2:/home/mysql client-cert.pem 100% 1112 1.4MB/s 00:00 [root@mysql1 mydata1]# scp client-key.pem mysql2:/home/mysql client-key.pem #連接恢復 [root@mysql2 ~]# mysql -h mysql1 -udog -pdog --ssl-cert=/home/mysql/client-cert.pem --ssl-key=/home/mysql/client-key.pem mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 19 Server version: 8.0.16 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
所以綜上,雖然pem ssl 遠程連接不需要通過服務端的pem 文件匹配驗證,但仍然不能刪除服務端pem文件,因為刪除后重啟數據庫會重新生成新的pem 文件,將導致遠程連接失敗,需要重新copy。