MySQL 5.7配置SSL连接

MySQL 5.7配置SSL连接

如果想服务能够部署自动支持安全连接,使用mysql_ssl_rsa_setup工具来创建缺省SSL与RSA文件

[root@cs2 bin]# ./mysql_ssl_rsa_setup --datadir=/mysqldata/mysql
Generating a 2048 bit RSA private key
......................................................................+++
..............................................................+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.............+++
..............+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.....................................+++
................................................+++
writing new private key to 'client-key.pem'
-----





启动mysql

[root@cs2 ~]# service mysqld start
Starting MySQL.. SUCCESS!

测试远程登录

-bash-4.2$ mysql -h 10.11.13.19 -P 3306 -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.22 MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT DISTINCT CONCAT('User: [', user, '''@''', host, '];') AS USER_HOST FROM user;
+------------------------------------+
| USER_HOST                          |
+------------------------------------+
| User: [root'@'%];                  |
| User: [mysql.session'@'localhost]; |
| User: [mysql.sys'@'localhost];     |
+------------------------------------+
3 rows in set (0.05 sec)

通过ssl登录mysql服务器

[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u root -pabcd123 --ssl-cert=client-cert.pem --ssl-key=client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.26-log Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using  EditLine wrapper

Connection id:          7
Current database:
Current user:           root@10.11.13.19
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.26-log Source distribution
Protocol version:       10
Connection:             10.11.13.19 via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    gb2312
Conn.  characterset:    gb2312
TCP port:               3306
Uptime:                 14 min 11 sec

Threads: 2  Questions: 13  Slow queries: 0  Opens: 108  Flush tables: 1  Open tables: 101  Queries per second avg: 0.015
--------------

mysql> show variables like 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+
1 row in set (0.01 sec)

mysql> show variables like 'require_secure_transport';
+--------------------------+-------+
| Variable_name            | Value |
+--------------------------+-------+
| require_secure_transport | OFF   |
+--------------------------+-------+
1 row in set (0.00 sec)

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | DISABLED        |
| have_ssl      | DISABLED        |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+

从上面的查询结果可以看到SSL: Not in use,have_ssl和have_openssl为DISABLED,这说明实际上是没有启用ssl。

这是因为通过执行mysql_ssl_rsa_setup命令产生的pem文件的权限为root用户而不是mysql用户造成的,将这些pem文件的权限修改为mysql用户与组 权限不要太大,只用户权限为rw,组与其它用户需要r权限

[root@localhost mysql]# ls -lrt
30172
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile1
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile2
drwxr-x---. 2 mysql mysql        48 321 16:25 undo
-rw-r-----. 1 mysql mysql        56 321 16:25 auto.cnf
drwxr-x---. 2 mysql mysql      8192 321 16:25 performance_schema
drwxr-x---. 2 mysql mysql      4096 321 16:25 mysql
drwxr-x---. 2 mysql mysql      8192 321 16:25 sys
-rw-r-----. 1 mysql mysql       177 321 16:25 binlog.000001
-rw-r--r--. 1 mysql mysql      1679 321 16:26 ca-key.pem
-rw-r--r--. 1 mysql mysql      1107 321 16:26 ca.pem
-rw-r--r--. 1 root  root       1679 321 16:26 server-key.pem
-rw-r--r--. 1 root  root       1107 321 16:26 server-cert.pem
-rw-r--r--. 1 root  root      1675 321 16:26 client-key.pem
-rw-r--r--. 1 root  root      1107 321 16:26 client-cert.pem
-rw-r--r--. 1 root  root      1675 321 16:26 private_key.pem
-rw-r--r--. 1 root  root       451 321 16:26 public_key.pem
-rw-r-----. 1 mysql mysql    114688 524 17:00 ts2.ibd
-rw-r-----. 1 mysql mysql     98304 524 17:01 ts1.ibd
drwxr-x---. 2 mysql mysql        32 524 17:11 test
-rw-r-----. 1 mysql mysql      9352 621 10:46 binlog.000002
-rw-r-----. 1 mysql mysql       177 621 10:46 binlog.000003
-rw-r-----. 1 mysql mysql       154 9 9 19:55 binlog.000004
-rw-r-----. 1 mysql mysql       177 9 9 20:23 binlog.000005
-rw-r-----. 1 mysql mysql       177 9 9 20:38 binlog.000006
-rw-r-----. 1 mysql mysql       177 9 9 20:44 binlog.000007
-rw-r-----. 1 mysql mysql       122 9 9 20:44 ib_buffer_pool
-rw-r-----. 1 mysql mysql       248 9 9 20:44 binlog.index
-rw-r-----. 1 mysql mysql       154 9 9 20:44 binlog.000008
-rw-r-----. 1 mysql mysql         6 9 9 20:44 mysqld.pid
-rw-r-----. 1 mysql mysql  12582912 9 9 20:44 ibtmp1
-rw-r-----. 1 mysql mysql  10485760 9 9 20:44 ibdata1
-rw-r-----. 1 mysql mysql 104857600 9 9 20:44 ib_logfile0
-rw-r-----. 1 mysql mysql    107011 9 9 20:54 mysql.err

[root@localhost mysql]# chown -R mysql:mysql *.pem
[root@localhost mysql]# ls -lrt
30172
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile1
-rw-r-----. 1 mysql mysql 104857600 321 16:25 ib_logfile2
drwxr-x---. 2 mysql mysql        48 321 16:25 undo
-rw-r-----. 1 mysql mysql        56 321 16:25 auto.cnf
drwxr-x---. 2 mysql mysql      8192 321 16:25 performance_schema
drwxr-x---. 2 mysql mysql      4096 321 16:25 mysql
drwxr-x---. 2 mysql mysql      8192 321 16:25 sys
-rw-r-----. 1 mysql mysql       177 321 16:25 binlog.000001
-rw-r--r--. 1 mysql mysql      1679 321 16:26 ca-key.pem
-rw-r--r--. 1 mysql mysql      1107 321 16:26 ca.pem
-rw-r--r--. 1 mysql mysql      1679 321 16:26 server-key.pem
-rw-r--r--. 1 mysql mysql      1107 321 16:26 server-cert.pem
-rw-r--r--. 1 mysql mysql      1675 321 16:26 client-key.pem
-rw-r--r--. 1 mysql mysql      1107 321 16:26 client-cert.pem
-rw-r--r--. 1 mysql mysql      1675 321 16:26 private_key.pem
-rw-r--r--. 1 mysql mysql       451 321 16:26 public_key.pem
-rw-r-----. 1 mysql mysql    114688 524 17:00 ts2.ibd
-rw-r-----. 1 mysql mysql     98304 524 17:01 ts1.ibd
drwxr-x---. 2 mysql mysql        32 524 17:11 test
-rw-r-----. 1 mysql mysql      9352 621 10:46 binlog.000002
-rw-r-----. 1 mysql mysql       177 621 10:46 binlog.000003
-rw-r-----. 1 mysql mysql       154 9 9 19:55 binlog.000004
-rw-r-----. 1 mysql mysql       177 9 9 20:23 binlog.000005
-rw-r-----. 1 mysql mysql       177 9 9 20:38 binlog.000006
-rw-r-----. 1 mysql mysql       177 9 9 20:44 binlog.000007
-rw-r-----. 1 mysql mysql       122 9 9 20:44 ib_buffer_pool
-rw-r-----. 1 mysql mysql       248 9 9 20:44 binlog.index
-rw-r-----. 1 mysql mysql       154 9 9 20:44 binlog.000008
-rw-r-----. 1 mysql mysql         6 9 9 20:44 mysqld.pid
-rw-r-----. 1 mysql mysql  12582912 9 9 20:44 ibtmp1
-rw-r-----. 1 mysql mysql  10485760 9 9 20:44 ibdata1
-rw-r-----. 1 mysql mysql 104857600 9 9 20:44 ib_logfile0
-rw-r-----. 1 mysql mysql    107011 9 9 20:54 mysql.err

pem文件权限太多可能会出现如下错误

[mysql@localhost mysql]$ mysql -h 10.11.13.19 -P 3306 -u root -pabcd123 --ssl-cert=/mysqldata/mysql/client-cert.pem --ssl-key=/mysqldata/mysql/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed


[root@localhost mysql]# service mysqld restart
Shutting down MySQL.. SUCCESS!
Starting MySQL.. SUCCESS!

[mysql@localhost mysql]$ mysql -h 10.11.13.19 -P 3306 -u root -pabcd123 --ssl-cert=/mysqldata/mysql/client-cert.pem --ssl-key=/mysqldata/mysql/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.26-log Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using  EditLine wrapper

Connection id:          4
Current database:
Current user:           root@10.11.13.19
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.26-log Source distribution
Protocol version:       10
Connection:             10.11.13.19 via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    gb2312
Conn.  characterset:    gb2312
TCP port:               3306
Uptime:                 59 sec

Threads: 2  Questions: 11  Slow queries: 0  Opens: 108  Flush tables: 1  Open tables: 101  Queries per second avg: 0.186
--------------

创建用户限制用户必须用ssl登录

mysql> create user 'jy'@'%' identified by "123";
Query OK, 0 rows affected (0.02 sec)

mysql> grant all on *.* to 'jy'@'%' require ssl;
Query OK, 0 rows affected, 1 warning (0.02 sec)

虽然要求用ssl但是还是可以使用密码登录,是因为mysql.user表中的ssl_type=ANY

[mysql@localhost ~]$  mysql -h 10.11.13.19 -P 3306 -u jy -p123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.26-log Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.26, for Linux (x86_64) using  EditLine wrapper

Connection id:          7
Current database:
Current user:           jy@10.11.13.19
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.26-log Source distribution
Protocol version:       10
Connection:             10.11.13.19 via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    gb2312
Conn.  characterset:    gb2312
TCP port:               3306
Uptime:                 50 min 18 sec

Threads: 2  Questions: 69  Slow queries: 0  Opens: 139  Flush tables: 1  Open tables: 132  Queries per second avg: 0.022
--------------

mysql> select * from user where user='jy'\G
ERROR 1046 (3D000): No database selected
mysql> select * from mysql.user where user='root'\G
*************************** 1. row ***************************
                  Host: %
                  User: jy
           Select_priv: Y
           Insert_priv: Y
           Update_priv: Y
           Delete_priv: Y
           Create_priv: Y
             Drop_priv: Y
           Reload_priv: Y
         Shutdown_priv: Y
          Process_priv: Y
             File_priv: Y
            Grant_priv: Y
       References_priv: Y
            Index_priv: Y
            Alter_priv: Y
          Show_db_priv: Y
            Super_priv: Y
 Create_tmp_table_priv: Y
      Lock_tables_priv: Y
          Execute_priv: Y
       Repl_slave_priv: Y
      Repl_client_priv: Y
      Create_view_priv: Y
        Show_view_priv: Y
   Create_routine_priv: Y
    Alter_routine_priv: Y
      Create_user_priv: Y
            Event_priv: Y
          Trigger_priv: Y
Create_tablespace_priv: Y
              ssl_type: ANY
            ssl_cipher:
           x509_issuer:
          x509_subject:
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin: mysql_native_password
 authentication_string: *1AA476D99C1600C9D984E248FBF2FDE3A0BB256E
      password_expired: N
 password_last_changed: 2022-03-21 16:27:48
     password_lifetime: NULL
        account_locked: N
1 row in set (0.00 sec)

修改用户jy的ssl类型为x509

mysql> alter user 'jy'@'%' require x509
    -> ;
Query OK, 0 rows affected (0.01 sec)

在不指定ssl密钥时就不能登录了

[mysql@localhost ~]$ mysql -h 10.11.13.19 -P 3306 -u jy -p123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'jy'@'10.11.13.19' (using password: YES)
[mysql@localhost ~]$  mysql -h 10.11.13.19 -P 3306 -u jy -p123 --ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
ERROR 1045 (28000): Access denied for user 'jy'@'10.11.13.19' (using password: YES)

指定ssl密钥进行登录

[mysql@localhost ~]$  mysql -h 10.11.13.19 -P 3306 -u jy -p123 --ssl-cert=/mysqldata/mysql/client-cert.pem --ssl-key=/mysqldata/mysql/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.7.26-log Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> exit

如果指定ssl密钥进行登录时不指定密钥完整路径时会出现如下错误

[mysql@localhost ~]$  mysql -h 10.11.13.19 -P 3306 -u jy -p123 --ssl-cert=client-cert.pem --ssl-key=client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [ERROR] SSL error: Unable to get certificate from 'client-cert.pem'
ERROR 2026 (HY000): SSL connection error: Unable to get certificate

发表评论

电子邮件地址不会被公开。