MySQL 5.7 的SSL加密方法
阿新 • • 發佈:2017-06-28
mysql fin lte ssl加密 ons style 數據 second lec
total 1024072
-rw-r----- 1 mysql mysql 56 Jun 19 17:56 auto.cnf
-rw------- 1 root root 1679 Jun 28 10:48 ca-key.pem
-rw-r--r-- 1 root root 1074 Jun 28 10:48 ca.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 client-cert.pem
-rw------- 1 root root 1679 Jun 28 10:48 client-key.pem
-rw-r----- 1 mysql mysql 1048576000 Jun 28 10:47 ibdata1
drwxr-x--- 2 mysql mysql 4096 Jun 19 17:57 mysql
drwxr-x--- 2 mysql mysql 4096 Jun 19 17:57 performance_schema
-rw------- 1 root root 1679 Jun 28 10:48 private_key.pem
-rw-r--r-- 1 root root 451 Jun 28 10:48 public_key.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 server-cert.pem
-rw------- 1 root root 1675 Jun 28 10:48 server-key.pem
drwxr-x--- 2 mysql mysql 12288 Jun 19 17:57 sys
-rw-r----- 1 mysql mysql 418 Jun 20 14:14 VM_45_133_centos.log
客戶端連接需要的證書,當然不用證書也是可以的
-rw-r--r-- 1 root root 1074 Jun 28 10:48 ca.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 client-cert.pem
-rw------- 1 root root 1679 Jun 28 10:48 client-key.pem
-rw------- 1 root root 1679 Jun 28 10:48 private_key.pem
服務器上的證書
-rw-r--r-- 1 root root 1074 Jun 28 10:48 ca.pem
-rw------- 1 root root 1679 Jun 28 10:48 ca-key.pem
-rw-r--r-- 1 root root 451 Jun 28 10:48 public_key.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 server-cert.pem
-rw------- 1 root root 1675 Jun 28 10:48 server-key.pem
--修改my.cnf
#########SSL#############
ssl-ca = /data/mysql/mysql3306/data/ca.pem
ssl-cert = /data/mysql/mysql3306/data/server-cert.pem
ssl-key = /data/mysql/mysql3306/data/server-key.pem
(2)重啟mysql
/etc/init.d/mysql stop
/etc/init.d/mysql start
--查看ssl參數狀態,查看have_ssl,為YES,這表示已經開始支持SSL了
show global variables like ‘%ssl%‘;
+---------------+--------------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /data/mysql/mysql3306/data/ca.pem |
| ssl_capath | |
| ssl_cert | /data/mysql/mysql3306/data/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /data/mysql/mysql3306/data/server-key.pem |
+---------------+--------------------------------------------+
show global status like ‘%ssl%‘;
+--------------------------------+--------------------------+
| Variable_name | Value |
+--------------------------------+--------------------------+
| Com_show_processlist | 0 |
| Ssl_accept_renegotiates | 0 |
| Ssl_accepts | 0 |
| Ssl_callback_cache_hits | 0 |
| Ssl_cipher | |
| Ssl_cipher_list | |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_ctx_verify_depth | 0 |
| Ssl_ctx_verify_mode | 0 |
| Ssl_default_timeout | 0 |
| Ssl_finished_accepts | 0 |
| Ssl_finished_connects | 0 |
| Ssl_server_not_after | Jun 26 02:48:05 2027 GMT |
| Ssl_server_not_before | Jun 28 02:48:05 2017 GMT |
| Ssl_session_cache_hits | 0 |
| Ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | Unknown |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 0 |
| Ssl_session_cache_timeouts | 0 |
| Ssl_sessions_reused | 0 |
| Ssl_used_session_cache_entries | 0 |
| Ssl_verify_depth | 0 |
| Ssl_verify_mode | 0 |
| Ssl_version | |
+--------------------------------+--------------------------+
查看SSL的加密方式
show global variables like ‘tls_version‘;
+---------------+---------------+
| Variable_name | Value |
+---------------+---------------+
| tls_version | TLSv1,TLSv1.1 |
+---------------+---------------+
(3)配置SSL用戶
取消ssl驗證
grant all privileges on *.* to [email protected]%‘ identified by ‘123456‘ require none;
alter user [email protected]%‘ require none;
--強制ssl驗證,即使設置了強制ssl,在登錄時候使用--ssl-mode=disable依然可以避開ssl驗證
grant all privileges on *.* to [email protected]%‘ identified by ‘123465‘ require ssl;
alter user [email protected]%‘ require ssl;
查看是否開啟強制用戶使用SSL
select user,host,ssl_type,ssl_cipher from mysql.user;
+-----------+-----------+----------+------------+
| user | host | ssl_type | ssl_cipher |
+-----------+-----------+----------+------------+
| root | % | | |
| mysql.sys | localhost | | |
| abcssl | % | ANY | |
+-----------+-----------+----------+------------+
(4)連接數據庫的時候,帶上SSL
不指定客戶端證書方式
5.6
--ssl、--disable-ssl、--skip-ssl:在mysql5.7是將被廢棄的選項,將來版本不再支持,建議使用--ssl-mode選項,
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl 默認為1
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl=0
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl=1 默認為1
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --disable-ssl
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --skip-ssl
5.7
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl-mode=disable
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl-mode=required 默認required
從另一臺機器連接過去也可以ssl加密,表明不需要安裝客戶端證書的
/usr/local/mysql/bin/mysql -uroot -p -h10.105.45.133 --ssl-mode=required
指定客戶端證書方式,5.6的方式,5.7也可以用
/usr/local/mysql/bin/mysql --ssl-ca=/data/mysql/mysql3306/data/ca.pem \
--ssl-cert=/data/mysql/mysql3306/data/client-cert.pem \
--ssl-key=/data/mysql/mysql3306/data/client-key.pem \
-uroot -p -h127.0.0.1
(5)連接驗證連接是否用了ssl
\s == status
--------------
/usr/local/mysql/bin/mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper 客戶端版本
Connection id: 69
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 28 min 14 sec
Threads: 2 Questions: 1755 Slow queries: 0 Opens: 114 Flush tables: 1 Open tables: 102 Queries per second avg: 1.036
--------------
JDBC客戶端的解決方法
連接字符串url中加入ssl=true或false:
url=jdbc:mysql://127.0.0.1:3306/framework?characterEncoding=utf8&useSSL=true
MySQL 5.7 的SSL加密方法
MySQL 5.7.6或以上版本
(1)創建證書開啟SSL驗證
--安裝openssl
yum install -y openssl
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
--安裝證書
/usr/local/mysql/bin/mysql_ssl_rsa_setup --datadir=/data/mysql/mysql3306/data
--修改權限
chown -R mysql:mysql /data/mysql/mysql3306/data
pwd
/data/mysql/mysql3306/data
[[email protected]
total 1024072
-rw-r----- 1 mysql mysql 56 Jun 19 17:56 auto.cnf
-rw------- 1 root root 1679 Jun 28 10:48 ca-key.pem
-rw-r--r-- 1 root root 1074 Jun 28 10:48 ca.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 client-cert.pem
-rw------- 1 root root 1679 Jun 28 10:48 client-key.pem
-rw-r----- 1 mysql mysql 1048576000 Jun 28 10:47 ibdata1
drwxr-x--- 2 mysql mysql 4096 Jun 19 17:57 mysql
drwxr-x--- 2 mysql mysql 4096 Jun 19 17:57 performance_schema
-rw------- 1 root root 1679 Jun 28 10:48 private_key.pem
-rw-r--r-- 1 root root 451 Jun 28 10:48 public_key.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 server-cert.pem
-rw------- 1 root root 1675 Jun 28 10:48 server-key.pem
drwxr-x--- 2 mysql mysql 12288 Jun 19 17:57 sys
-rw-r----- 1 mysql mysql 418 Jun 20 14:14 VM_45_133_centos.log
客戶端連接需要的證書,當然不用證書也是可以的
-rw-r--r-- 1 root root 1074 Jun 28 10:48 ca.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 client-cert.pem
-rw------- 1 root root 1679 Jun 28 10:48 client-key.pem
-rw------- 1 root root 1679 Jun 28 10:48 private_key.pem
服務器上的證書
-rw-r--r-- 1 root root 1074 Jun 28 10:48 ca.pem
-rw------- 1 root root 1679 Jun 28 10:48 ca-key.pem
-rw-r--r-- 1 root root 451 Jun 28 10:48 public_key.pem
-rw-r--r-- 1 root root 1078 Jun 28 10:48 server-cert.pem
-rw------- 1 root root 1675 Jun 28 10:48 server-key.pem
--修改my.cnf
#########SSL#############
ssl-ca = /data/mysql/mysql3306/data/ca.pem
ssl-cert = /data/mysql/mysql3306/data/server-cert.pem
ssl-key = /data/mysql/mysql3306/data/server-key.pem
(2)重啟mysql
/etc/init.d/mysql stop
/etc/init.d/mysql start
--查看ssl參數狀態,查看have_ssl,為YES,這表示已經開始支持SSL了
show global variables like ‘%ssl%‘;
+---------------+--------------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /data/mysql/mysql3306/data/ca.pem |
| ssl_capath | |
| ssl_cert | /data/mysql/mysql3306/data/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /data/mysql/mysql3306/data/server-key.pem |
+---------------+--------------------------------------------+
show global status like ‘%ssl%‘;
+--------------------------------+--------------------------+
| Variable_name | Value |
+--------------------------------+--------------------------+
| Com_show_processlist | 0 |
| Ssl_accept_renegotiates | 0 |
| Ssl_accepts | 0 |
| Ssl_callback_cache_hits | 0 |
| Ssl_cipher | |
| Ssl_cipher_list | |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_ctx_verify_depth | 0 |
| Ssl_ctx_verify_mode | 0 |
| Ssl_default_timeout | 0 |
| Ssl_finished_accepts | 0 |
| Ssl_finished_connects | 0 |
| Ssl_server_not_after | Jun 26 02:48:05 2027 GMT |
| Ssl_server_not_before | Jun 28 02:48:05 2017 GMT |
| Ssl_session_cache_hits | 0 |
| Ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | Unknown |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 0 |
| Ssl_session_cache_timeouts | 0 |
| Ssl_sessions_reused | 0 |
| Ssl_used_session_cache_entries | 0 |
| Ssl_verify_depth | 0 |
| Ssl_verify_mode | 0 |
| Ssl_version | |
+--------------------------------+--------------------------+
查看SSL的加密方式
show global variables like ‘tls_version‘;
+---------------+---------------+
| Variable_name | Value |
+---------------+---------------+
| tls_version | TLSv1,TLSv1.1 |
+---------------+---------------+
(3)配置SSL用戶
取消ssl驗證
grant all privileges on *.* to [email protected]%‘ identified by ‘123456‘ require none;
alter user [email protected]%‘ require none;
--強制ssl驗證,即使設置了強制ssl,在登錄時候使用--ssl-mode=disable依然可以避開ssl驗證
grant all privileges on *.* to [email protected]%‘ identified by ‘123465‘ require ssl;
alter user [email protected]%‘ require ssl;
查看是否開啟強制用戶使用SSL
select user,host,ssl_type,ssl_cipher from mysql.user;
+-----------+-----------+----------+------------+
| user | host | ssl_type | ssl_cipher |
+-----------+-----------+----------+------------+
| root | % | | |
| mysql.sys | localhost | | |
| abcssl | % | ANY | |
+-----------+-----------+----------+------------+
(4)連接數據庫的時候,帶上SSL
不指定客戶端證書方式
5.6
--ssl、--disable-ssl、--skip-ssl:在mysql5.7是將被廢棄的選項,將來版本不再支持,建議使用--ssl-mode選項,
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl 默認為1
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl=0
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl=1 默認為1
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --disable-ssl
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --skip-ssl
5.7
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl-mode=disable
/usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 --ssl-mode=required 默認required
從另一臺機器連接過去也可以ssl加密,表明不需要安裝客戶端證書的
/usr/local/mysql/bin/mysql -uroot -p -h10.105.45.133 --ssl-mode=required
指定客戶端證書方式,5.6的方式,5.7也可以用
/usr/local/mysql/bin/mysql --ssl-ca=/data/mysql/mysql3306/data/ca.pem \
--ssl-cert=/data/mysql/mysql3306/data/client-cert.pem \
--ssl-key=/data/mysql/mysql3306/data/client-key.pem \
-uroot -p -h127.0.0.1
(5)連接驗證連接是否用了ssl
\s == status
--------------
/usr/local/mysql/bin/mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper 客戶端版本
Connection id: 69
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 28 min 14 sec
Threads: 2 Questions: 1755 Slow queries: 0 Opens: 114 Flush tables: 1 Open tables: 102 Queries per second avg: 1.036
--------------
JDBC客戶端的解決方法
連接字符串url中加入ssl=true或false:
url=jdbc:mysql://127.0.0.1:3306/framework?characterEncoding=utf8&useSSL=true
MySQL 5.7 的SSL加密方法