MySQL5.6 & 5.7 配置 SSL

mysql5.7上開啟並配置ssl

[root@mysqlmaster01 bin]# ./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --user=mysqlnode

Generating a 2048 bit RSA private key
............................................................................+++
............+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.......................+++
..........................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
...........+++
..........+++
writing new private key to 'client-key.pem'
-----mysql

查看linux

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.01 sec)sql

（SSL仍是沒有啟用）數據庫

解決辦法：把數據目錄下.pem的文件，屬主和屬組改為mysql服務器

[root@mysqlmaster01 mysql_data1]# chown -R mysql.mysql *.pemapp

而后重啟服務ide

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi stop 1工具

[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi start 1
[root@mysqlmaster01 mysql_data1]# /etc/init.d/mysqld_multi report
Reporting MySQL servers
MySQL server from group: mysqld1 is running

[root@mysqlmaster01 mysql_data1]# mysql --login-path=mysql1 -e "show variables like 'have%ssl%';"
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+

(說明ssl已經啟用咯）

[root@mysqlmaster01 mysql_data1]# ll *.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 ca-key.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 ca.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 client-cert.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 client-key.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 private_key.pem
-rw-r--r--. 1 mysql mysql 451 Nov 24 11:14 public_key.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 server-cert.pem
-rw-------. 1 mysql mysql 1675 Nov 24 11:14 server-key.pem

 

如何經過ssl進行鏈接

[root@mysqlmaster01 mysql_data2]# mysql -u ssl -p -h 10.2.11.226 --ssl-cert=/data/mysql_data2/client-cert.pem --ssl-key=/data/mysql_data2/client-key.pem -P 3307
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q

（默認若是受權沒有作任何限制，用戶既能夠經過秘鑰登陸，也能夠經過用戶名和密碼登陸）

 

用戶受權規定只能經過ssl方式登陸

mysql> create user 'tom'@'10.2.11.%' identified by 'Aa123456';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'tom'@'10.2.11.%' require ssl;
Query OK, 0 rows affected, 1 warning (0.00 sec)

測試

[root@mysqlmaster01 ~]# mysql -u tom -p -h 10.2.11.226 --ssl-mode 'REQUIRED' -P 3306 
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.

mysql>

 

mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using EditLine wrapper

Connection id: 25
Current database:
Current user: tom@10.2.11.226
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.20-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 10.2.11.226 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 1 hour 34 min 11 sec

Threads: 2 Questions: 56 Slow queries: 0 Opens: 124 Flush tables: 1 Open tables: 117 Queries per second avg: 0.009
--------------

 若是不只須要ssl還須要秘鑰，那么怎么操做呢？

mysql> alter user 'tom'@'10.2.11.%' require x509;
Query OK, 0 rows affected (0.01 sec)

或者新建一個用戶，要求ssl+秘鑰登陸

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> grant all on *.* to 'test'@'10.2.18.%' identified by 'Aa123456' require x509;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

 測試登陸：

[root@mysqlmaster01 mysql_data1]# mysql -u test -p -h 10.2.11.226 -P 3306 --ssl
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Enter password: 
ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

（發現經過ssl登陸不了）

mysql5.6上開啟並配置ssl

一、加密鏈接服務端配置

 [mysqld]

ssl-ca=ca.pem

ssl-cert=server-cert.pem

ssl-key=server-key.pem

說明：

ss-ca：證書頒發機構(CA)證書文件的路徑名

ssl-cert：服務器公鑰證書文件的路徑名。這能夠發送到客戶端，並經過CA證書進行身份驗證。

ssl-key：服務器的私鑰證書文件的路徑名

二、客戶端使用ssl

案例：

mysql  --ssl-ca=ca.pem  --ssl-cert=client-cert.pem  --ssl-key=client-key.pem

經過openssl 制做生成 SSL 證書

[root@mysqlmaster01 CA]# touch index.txt
[root@mysqlmaster01 CA]# echo 01>serial

 

建立CA證書

[root@server mysql56]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................................+++
......................................................................................................................+++
e is 65537 (0x10001)
[root@server mysql56]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:
[root@server mysql56]# ll *.pem
-rw-r--r--. 1 root root 1679 Nov 24 15:15 ca-key.pem
-rw-r--r--. 1 root root 1314 Nov 24 15:16 ca.pem

建立服務器證書

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
......................................................+++
.........................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:server.test.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server mysql56]# openssl rsa -in server-key.pem -out server-key.pem 
writing RSA key

[root@server mysql56]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=server.test.com
Getting CA Private Key

 

建立客戶端證書

 

[root@server mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
.+++
...............................................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:client.test.com 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server mysql56]# openssl rsa -in client-key.pem -out client-key.pem 
writing RSA key
[root@server mysql56]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=client.test.com
Getting CA Private Key

 

檢測：

[root@mysqlmaster01 mysql56]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem 
server-cert.pem: OK
client-cert.pem: OK

 

說明：

    ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)

    server-cert.pem, server-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.

    client-cert.pem, client-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.

 

[root@mysqlmaster01 mysql56]# chown -R mysql.mysql *.pem （更改屬主和屬組）

 

編寫my.cnf文件，在【mysqld】下填寫

ssl-ca=/data/mysql56/ca.pem 
ssl-cert=/data/mysql56/server-cert.pem 
ssl-key=/data/mysql56/server-key.pem

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509; （受權test用戶經過ssl+秘鑰登陸）
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

 

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308
Enter password: 
ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

 （直接用密碼登陸錯誤）

 

 

[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 -ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem
mysql: [ERROR] mysql: unknown option '-l'
[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
[root@mysqlmaster01 ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=/data/mysql56/client-cert.pem --ssl-key=/data/mysql56/client-key.pem
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.6.38-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

（若是要在其余電腦上經過ssl登陸該機器的數據庫，必需要ca.pem,client-cert.pem,client-key.pem拷貝到其余電腦上，而后配置鏈接數據庫的工具使用ssl）

mysql 5.6 另一篇文章設置SSL

與5.7使用 mysql_ssl_rsa_setup 自動生成秘匙不同，5.6需要通過openssl命令來生成秘匙

創建一個 certs 文件用於放秘匙

我放在了datadir目錄下 mkdir certs && cd certs

首先生成所需 key

CA

「主要命令」openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem小提示：CA的Country Name要與server/client的Country Name不同，否則 Verify這步會出現錯誤，出現類似 error 18 at 0 depth lookup:self signed certificate的錯誤

[[email protected] certs]# openssl genrsa 2048 > ca-key.pem

Generating RSA private key, 2048 bit long modulus

......................................................+++

........+++

e is 65537 (0x10001)

[[email protected] certs]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CH

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:WDT

Organizational Unit Name (eg, section) []:wdt

Common Name (eg, your name or your server's hostname) []:fxr

Email Address []:test

[[email protected] certs]# ll

total 8

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

server

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

openssl rsa -in server-key.pem -out server-key.pem

openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem

# 創建成功后目錄下變成4個文件

[[email protected] certs]# ll

total 16

-rw-r--r-- 1 root root 1675 Feb 27 10:40 ca-key.pem

-rw-r--r-- 1 root root 1342 Feb 27 10:45 ca.pem

-rw-r--r-- 1 root root 1704 Feb 27 10:49 server-key.pem

-rw-r--r-- 1 root root 1050 Feb 27 10:49 server-req.pem

[[email protected] certs]# openssl rsa -in server-key.pem -out server-key.pem

[[email protected] certs]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# 這是會提示驗證成功，目錄下多了一個 `server-cert.pem` 文件

Client

「主要命令」openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

openssl rsa -in client-key.pem -out client-key.pem

openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

[[email protected] certs]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

#成功后多出`client-key.pem` 和 `client-req.pem` 兩個文件

[[email protected] certs]# openssl rsa -in client-key.pem -out client-key.pem

[[email protected] certs]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# 成功后多出`client-cert.pem` 一個文件

Verify

「主要命令」openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

[[email protected] certs]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

`server-cert.pem` 和 `client-cert.pem` 提示Ok

「配置my.cnf文件」xxx 請改成該文件的全路徑

[mysqld]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/server-cert.pem

ssl-key=xxx/server-key.pem

[client]

ssl-ca=xxx/ca.pem

ssl-cert=xxx/client-cert.pem

ssl-key=xxx/client-key.pem

然后創建一個用戶，並設置其使用SSL連接

mysql> CREATE USER 'ssluser'@'%' identified by '123';

mysql> GRANT USAGE ON *.* TO 'ssluser'@'%' identified by '123' require ssl;

mysql> FLUSH PRIVILEGES;

重啟下mysql服務，然后通過以下命令連接

[[email protected] certs]# mysql -ussluser -p --ssl-ca=/data/mysql/data/certs/ca.pem --ssl-cert=/data/mysql/data/certs/client-cert.pem --ssl-key=/data/mysql/data/certs/client-key.pem

進入mysql后輸入 SHOW STATUS LIKE 'Ssl_cipher';

+---------------+--------------------+

| Variable_name | Value |

+---------------+--------------------+

| Ssl_cipher | DHE-RSA-AES256-SHA |

+---------------+--------------------+中途因為 –ssl-ca后面的路徑輸入錯誤，導致 SSL connection error: SSL_CTX_set_default_verify_paths failed 的錯誤