MySQL 5.6--------SSL连接最佳实战
1. 背景
* 在生产环境下,安全总是无法忽视的问题,数据库安全则是重中之重,因为所有的数据都存放在数据库中
* 当使用非加密方式连接MySQL数据库时,在网络中传输的所有信息都是明文的,可以被网络中所有人截取,敏感信息可能被泄露。在传送敏感信息(如密码)时,可以采用SSL连接的方式。
2. MySQL 连接方式
* socket连接
* TCP非SSL连接
* SSL安全连接
3. SSL 简介
* SSL指的是SSL/TLS,其是一种为了在计算机网络进行安全通信的加密协议。假设用户的传输不是通过SSL的方式,那么其在网络中以明文的方式进行传输,而这给别有用心的人带来了可乘之机。所以,现在很多网站其实默认已经开启了SSL功能,比如Facebook、Twtter、YouTube、淘宝等。
4. 环境 [ 关闭SeLinux ]
* system 环境
1
2
3
4
5
6
7
8
|
[root@MySQL ~] # cat /etc/redhat-release
CentOS release 6.9 (Final)
[root@MySQL ~] # uname -r
2.6.32-696.3.2.el6.x86_64
[root@MySQL ~] # getenforce
Disabled
|
* MySQL 环境 [ MySQL 5.6安装前面篇章已做详细介绍 ]
have_openssl 与 have_ssl 值都为DISABLED表示ssl未开启
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
[root@MySQL mysql] # mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.6.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.6.36 |
+-----------+
1 row in set (0.00 sec)
mysql> show variables like 'have%ssl%' ;
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
+---------------+----------+
2 rows in set (0.00 sec)
mysql> show variables like 'port' ;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| port | 3306 |
+---------------+-------+
1 row in set (0.00 sec)
mysql> show variables like 'datadir' ;
+---------------+-------------------+
| Variable_name | Value |
+---------------+-------------------+
| datadir | /data/mysql_data/ |
+---------------+-------------------+
1 row in set (0.00 sec)
|
5. 通过openssl 制作生成 SSL 证书
* 生成一个 CA 私钥
1
2
3
4
5
|
[root@MySQL ~] # openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
....................+++
e is 65537 (0x10001)
|
* 通过 CA 私钥生成数字证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@MySQL ~] # openssl req -new -x509 -nodes -days 3600 \
> -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.' , the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname ) []:
Email Address []:
|
* 创建 MySQL 服务器 私钥和请求证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@MySQL ~] # openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
.................................+++
.......................................................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.' , the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname ) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
* 将生成的私钥转换为 RSA 私钥文件格式
1
2
|
[root@MySQL ~] # openssl rsa -in server-key.pem -out server-key.pem
writing RSA key
|
* 用CA 证书来生成一个服务器端的数字证书
1
2
3
4
5
|
[root@MySQL ~] # openssl x509 -req -in server-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject= /C =XX /L =Default City /O =Default Company Ltd
Getting CA Private Key
|
* 创建客户端的 RSA 私钥和数字证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@MySQL ~] # openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
..........................................................+++
.................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.' , the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname ) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
* 将生成的私钥转换为 RSA 私钥文件格式
1
2
|
[root@MySQL ~] # openssl rsa -in client-key.pem -out client-key.pem
writing RSA key
|
* 用CA 证书来生成一个客户端的数字证书
1
2
3
4
5
|
[root@MySQL ~] # openssl x509 -req -in client-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Signature ok
subject= /C =XX /L =Default City /O =Default Company Ltd
Getting CA Private Key
|
* 查看所有生成的SSL文件
1
2
3
4
5
6
7
8
9
|
[root@MySQL ~] # ls -l *.pem
-rw-r--r-- 1 root root 1675 Jun 24 14:16 ca-key.pem
-rw-r--r-- 1 root root 1220 Jun 24 14:19 ca.pem
-rw-r--r-- 1 root root 1090 Jun 24 14:29 client-cert.pem
-rw-r--r-- 1 root root 1679 Jun 24 14:28 client-key.pem
-rw-r--r-- 1 root root 952 Jun 24 14:28 client-req.pem
-rw-r--r-- 1 root root 1090 Jun 24 14:24 server-cert.pem
-rw-r--r-- 1 root root 1679 Jun 24 14:23 server-key.pem
-rw-r--r-- 1 root root 952 Jun 24 14:20 server-req.pem
|
6. MySQL 配置启动 SSL
* 复制 CA 证书和服务端SSL文件至MySQL 数据目录
1
2
3
4
5
|
[root@MySQL ~] # cp ca.pem server-*.pem /data/mysql_data -v
`ca.pem ' -> `/data/mysql_data/ca.pem'
`server-cert.pem ' -> `/data/mysql_data/server-cert.pem'
`server-key.pem ' -> `/data/mysql_data/server-key.pem'
`server-req.pem ' -> `/data/mysql_data/server-req.pem'
|
* 修改 MySQL 数据目录的CA 证书和服务端 SSL 文件所属用户与组
1
2
3
4
5
|
[root@MySQL ~] # chown -v mysql.mysql /data/mysql_data/{ca,server*}.pem
changed ownership of ` /data/mysql_data/ca .pem' to mysql:mysql
changed ownership of ` /data/mysql_data/server-cert .pem' to mysql:mysql
changed ownership of ` /data/mysql_data/server-key .pem' to mysql:mysql
changed ownership of ` /data/mysql_data/server-req .pem' to mysql:mysql
|
* 配置 MySQL 服务的配置文件 [/etc/my.cnf]
1
2
3
4
|
[mysqld]
ssl-ca= /data/mysql_data/ca .pem
ssl-cert= /data/mysql_data/server-cert .pem
ssl-key= /data/mysql_data/server-key .pem
|
* 重启MySQL服务
1
2
3
|
[root@MySQL ~] # /etc/init.d/mysqld restart
Shutting down MySQL.. SUCCESS!
Starting MySQL. SUCCESS!
|
* 登陆查看SSL开启状态
have_openssl 与 have_ssl 值都为YES表示ssl开启成功
1
2
3
4
5
6
7
8
|
mysql> show variables like 'have%ssl%' ;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
2 rows in set (0.01 sec)
|
6. SSL连接测试
* 创建用户并指定 SSL 连接
1
2
|
mysql> grant all on *.* to 'ssl_test' @ '%' identified by '123' require SSL;
Query OK, 0 rows affected (0.00 sec)
|
* 通过密码连接测试
1
2
3
|
[root@MySQL ~] # mysql -h 192.168.60.129 -ussl_test -p'123'
Warning: Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'ssl_test' @ '192.168.60.129' (using password: YES)
|
* 通过客户端密钥与证书SSL + 密码连接测试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[root@MySQL ~] # mysql -h 192.168.60.129 -ussl_test --ssl-cert=client-cert.pem --ssl-key=client-key.pem
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.6.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.6.36, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id : 20
Current database:
Current user: ssl_test@192.168.60.129
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.6.36 MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.60.129 via TCP /IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 16 min 38 sec
Threads: 1 Questions: 35 Slow queries: 0 Opens: 67 Flush tables: 1 Open tables: 60 Queries per second avg: 0.035
|
7. 总结
以需求驱动技术,技术本身没有优略之分,只有业务之分。
本文转自asd1123509133 51CTO博客,原文链接:http://blog.51cto.com/lisea/1942216,如需转载请自行联系原作者
MySQL 5.6--------SSL连接最佳实战相关推荐
- mysql 5.6 使用ssl_MySQL 5.6--------SSL连接最佳实战
MySQL 5.6--------SSL连接最佳实战 https://blog.csdn.net/weixin_33670786/article/details/89776706 mysql -uro ...
- MySQL 5.7--------多实例部署最佳实战
MySQL 5.7--------多实例部署最佳实战 安装之前关闭linux防火墙:centos6和7是不一样的!!!!!! CentOS 6.5关闭防火墙 1 2 [root@localho ...
- Mysql 中的SSL 连接
Mysql 中的SSL 连接 以下来自网络参考和自己测试整理,没有查找相关资料.若有错误之处,欢迎指正. 当前的Mysql 客户端版本基本都不太能支持 caching_sha2_password 认证 ...
- mysql cert_Mysql使用SSL连接
最近项目中用到了SSL连接,记录一下,环境为windows10,Mysql版本为5.6 查看是否支持 SSL 首先在 MySQL 上执行如下命令, 查询是否 MySQL 支持 SSL: mysql&g ...
- 《MySQL DBA:SSL连接》
一.SSL连接 5.7版本安装脚本中有一句 bin/mysql_ssl_rsa_setup 支持SSL Generating a 2048 bit RSA private key .......... ...
- spring mysql ssl_MySQL 使用 SSL 连接配置详解
vsftpd配置详解 vsftpd是linux发行版中的一款ftp服务器程序它的全称是"very secure ftp daemon",号称是最安全的ftp服务器.它工作在2120 ...
- mysql切换到使用openssl_OpenSSL可以用来调试到MySQL服务器的SSL连接吗?
OpenSSL 1.1.1版(2018年9月11日发布)在 commit a2d9cfbac5d87b03496d62079aef01c601193b58中添加了对-starttls mysql的支持 ...
- ecmall mysql.php_ECMall支持SSL连接邮件服务器的配置方法详解
首先,主要是ecmall使用的phpmailer版本太低,不支持加密连接. 然后,得对相应代码做一定调整. 1. 覆盖phpmailer 请从附件进行下载: 2. 改造lib 涉及到两个lib:mai ...
- MySQL DDL操作--------外键最佳实战
1. 背景 * MySQL有两种常用的引擎类型MyISAM和InnoDB.目前只有InnoDB引擎类型支持外键约束. * 本表的列必须与外键类型相同, 外键必须是外表的唯一键(或主键). * 设置外建 ...
最新文章
- VCSA 6.5 HA 配置之五:故障转移测试
- 关于Linux路由表的route命令(转)
- Python入门100题 | 第054题
- 成功解决Redirection is not supported
- 不要再问我Python2和Python3的Unicode 问题啦!
- 【大会】技术决策背后的商业逻辑
- 前端性能优化经典:javascript防抖节流
- 在网上找了一个读取文件夹下面的所有文件到txt的code 已验证
- pyqt怎么button怎么链接_微信视频号怎么添加链接?添加微信公众号链接教程
- 制版经验分享—使用AD18
- 如何从PDF文件中提取几页为一个PDF文件?
- 【博客427】通过redfish协议操控服务器
- bug - Nacos - Ignore the empty nacos configuration and get it based on dataId
- 智能系统概论——初识百度AI平台
- 互联网日报 | 得到披露招股书;格力集团35亿投资小米;淘宝村年交易额破万亿;2020北京车展开幕...
- 【红帽认证参考】常见问题解答
- 关于GPS实际精度比较低,而且频率低,但是无人机GPS定点却定得和钉子一样
- SpringBoot POI导出Excel
- 基础数学(8)——常微分方程数值解法
- UVA10115- Automatic Editing
热门文章
- java实现Kafka生产者示例
- boost库在工作(20)线程之五
- 3690状态压缩+暴力
- C语言经典例8-输出乘法口诀表
- 【RecyclerView】 三、RecyclerView 布局 ( 线性布局管理器 LinearLayoutManager )
- 【计算理论】可判定性 ( 计算模型与语言 | 区分 可计算语言 与 可判定语言 | 证明 通用图灵机语言是 可计算语言 | 通用任务图灵机 与 特殊任务图灵机 )
- 【计算机网络】网络层 : IP 组播 ( IP 数据报传输方式 | 组播 IP 地址 | 组播 MAC 地址 | IGMP 协议 | 组播路由选择协议 )
- Codeforces 1103
- [docker] 04 使用docker容器
- 病毒木马防御与分析实战