一 目標 針對MYSQL進行SSL加固,針對小於5.7的版本

二 生成金鑰公鑰檔案

mkdir -p /home/work/mysql/ssl

1 openssl genrsa 2048 > ca-key.pem
2 openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca.pem
3 openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
4 openssl rsa -in server-key.pem -out server-key.pem
5 openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
6 openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
7 openssl rsa -in client-key.pem -out client-key.pem
8 openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

三 檔案許可權

chown -R mysql:mysql /home/work/mysql/ssl

四 mysql配置檔案新增並重啟服務

[client]
ssl-cert = /home/work/mysql/ssl/client-cert.pem
ssl-key = /home/work/mysql/ssl/client-key.pem
[mysqld]
ssl-ca=/home/work/mysql/ssl/ca.pem
ssl-cert=/home/work/mysql/ssl/server-cert.pem
ssl-key=/home/work/mysql/ssl/server-key.pem

五 重新檢視變數SSL

mysql> show variables like '%ssl%';
+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| have_openssl | YES |
| have_ssl | YES

六 建立標準使用者

grant all on test.* to test@'%' identified by 'wang1122' require ssl; 需要ssl 屬性

七 登入測試

mysql -utest -pwang1122 --ssl-ca=/home/work/mysql/ssl/ca.pem --ssl-cert=/home/work/mysql/ssl/client-cert.pem --ssl-key=/home/work/mysql/ssl/client-key.pem --socket=/home/work/mysql/tmp/mysql.sock

八 JAV7jiuA使用

1 匯出keystore供java連線使用
keytool -importcert -file ca-cert.pem -keystore truststore --storepass Abc123
2 設定java環境變數編輯/etc/profile 增加一行
export JAVA_OPTS=" -Djavax.net.ssl.trustStore=/home/mysqlcert/truststore -Djavax.net.ssl.trustStorePassword=Abc123"
執行下source /etc/profile使其生效
3 配置jdbc連線url
jdbc.url=jdbc:mysql://127.0.0.1:3306/mydb?verifyServerCertificate=true&useSSL=true&requireSSL=true

九 總結

1 中途開啟了SSL,之前建立的使用者還是可以不經過SSL進行訪問的

2 開啟SSL會有效能損耗