La position actuelle:Accueil du site>Configuration SSL MySQL 5.6 / 5.7

Configuration SSL MySQL 5.6 / 5.7

2022-07-23 04:38:44Isoleo

Thème I:mysql5.7On et configuressl

[[email protected] bin]# ./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --user=mysql

Generating a 2048 bit RSA private key
............................................................................+++
............+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.......................+++
..........................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
...........+++
..........+++
writing new private key to 'client-key.pem'
-----

Voir

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.01 sec)

(SSL Toujours pas activé )

Solutions: Sous le Répertoire de données .pemDocuments, Le Groupe principal et le groupe générique sont remplacés par: mysql

[[email protected] mysql_data1]# chown -R mysql.mysql *.pem

Puis redémarrez le service

[[email protected] mysql_data1]# /etc/init.d/mysqld_multi stop 1

[[email protected] mysql_data1]# /etc/init.d/mysqld_multi start 1
[[email protected] mysql_data1]# /etc/init.d/mysqld_multi report
Reporting MySQL servers
MySQL server from group: mysqld1 is running

[[email protected] mysql_data1]# mysql --login-path=mysql1 -e "show variables like 'have%ssl%';"
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+

(Descriptionssl Activé? )

[[email protected] mysql_data1]# ll *.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 ca-key.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 ca.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 client-cert.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 client-key.pem
-rw-------. 1 mysql mysql 1679 Nov 24 11:14 private_key.pem
-rw-r--r--. 1 mysql mysql 451 Nov 24 11:14 public_key.pem
-rw-r--r--. 1 mysql mysql 1107 Nov 24 11:14 server-cert.pem
-rw-------. 1 mysql mysql 1675 Nov 24 11:14 server-key.pem

 

Comment passersslConnexion

[[email protected] mysql_data2]# mysql -u ssl -p -h 10.2.11.226 --ssl-cert=/data/mysql_data2/client-cert.pem --ssl-key=/data/mysql_data2/client-key.pem -P 3307
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q

( Par défaut si l'autorisation n'est pas limitée , L'utilisateur peut se connecter avec une clé secrète , Vous pouvez également vous connecter par nom d'utilisateur et mot de passe )

 

Les dispositions relatives à l'autorisation de l'utilisateur ne peuvent être adoptées que par sslMode de connexion

mysql> create user 'tom'@'10.2.11.%' identified by 'Aa123456';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'tom'@'10.2.11.%' require ssl;
Query OK, 0 rows affected, 1 warning (0.00 sec)

Tests

[[email protected] ~]# mysql -u tom -p -h 10.2.11.226 --ssl-mode 'REQUIRED' -P 3306 
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.

mysql>

 

mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using EditLine wrapper

Connection id: 25
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.20-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 10.2.11.226 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 1 hour 34 min 11 sec

Threads: 2 Questions: 56 Slow queries: 0 Opens: 124 Flush tables: 1 Open tables: 117 Queries per second avg: 0.009
--------------

  Si vous avez besoin ssl J'ai besoin d'une clé secrète. ,Comment faire??

mysql> alter user 'tom'@'10.2.11.%' require x509;
Query OK, 0 rows affected (0.01 sec)

Ou créer un nouvel utilisateur ,Exigencesssl+Connexion à clé secrète

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> grant all on *.* to 'test'@'10.2.18.%' identified by 'Aa123456' require x509;
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

 Connexion au test:

[[email protected] mysql_data1]# mysql -u test -p -h 10.2.11.226 -P 3306 --ssl
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Enter password: 
ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

(Découverte parsslJe ne peux pas me connecter.)

 

Test de connexion client distant (Je prendsmysql workbenchPar exemple)

 

Thème II :mysql5.6On et configuressl

https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html

 1、 Configuration du serveur de connexion chiffré

 [mysqld]

ssl-ca=ca.pem

ssl-cert=server-cert.pem

ssl-key=server-key.pem

Description:

ss-ca:Autorité de certification(CA) Nom du chemin du fichier de certificat

ssl-cert: Pathname of Server Public Key Certificate file . Ceci peut être envoyé au client ,Et à traversCACertificat d'authentification.

ssl-key: Pathname of the Private Key Certificate file for the server

2、Utilisation par le clientssl

CAS:

mysql  --ssl-ca=ca.pem  --ssl-cert=client-cert.pem  --ssl-key=client-key.pem

Adoptionopenssl Production SSL Certificat

[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01>serial

 

CréationCACertificat

[[email protected] mysql56]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................................+++
......................................................................................................................+++
e is 65537 (0x10001)
[[email protected] mysql56]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:
[[email protected] mysql56]# ll *.pem
-rw-r--r--. 1 root root 1679 Nov 24 15:15 ca-key.pem
-rw-r--r--. 1 root root 1314 Nov 24 15:16 ca.pem

Créer un certificat de serveur

[[email protected] mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
......................................................+++
.........................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:server.test.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] mysql56]# openssl rsa -in server-key.pem -out server-key.pem 
writing RSA key

[[email protected] mysql56]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=server.test.com
Getting CA Private Key

 

Créer un certificat client

 

[[email protected] mysql56]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
.+++
...............................................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:als
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:client.test.com 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] mysql56]# openssl rsa -in client-key.pem -out client-key.pem 
writing RSA key
[[email protected] mysql56]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=als/OU=ops/CN=client.test.com
Getting CA Private Key

 

Détection:

[[email protected] mysql56]# openssl verify -CAfile ca.pem server-cert.pem client-cert.pem 
server-cert.pem: OK
client-cert.pem: OK

 

Description:

  • ca.pem: Use this as the argument to --ssl-ca on the server and client sides. (The CA certificate, if used, must be the same on both sides.)

  • server-cert.pemserver-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the server side.

  • client-cert.pemclient-key.pem: Use these as the arguments to --ssl-cert and --ssl-key on the client side.

 

[[email protected] mysql56]# chown -R mysql.mysql *.pem (Changement de propriétaire et de groupe)

 

Compilationmy.cnfDocumentation,In【mysqld】Remplissez ci - dessous

ssl-ca=/data/mysql56/ca.pem 
ssl-cert=/data/mysql56/server-cert.pem 
ssl-key=/data/mysql56/server-key.pem

 Tests

mysql> grant all on *.* to 'test'@'10.2.11.%' identified by 'Aa123456' require x509; (AutorisationtestL'utilisateur passe parssl+Connexion à clé secrète)
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

 

[[email protected] ~]# mysql -u test -h 10.2.11.226 -p -P 3308
Enter password: 
ERROR 1045 (28000): Access denied for user 'test'@'10.2.11.226' (using password: YES)

 ( Erreur de connexion directe par mot de passe )

 

 

[[email protected] ~]# mysql -u test -h 10.2.11.226 -p -P 3308 -ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem
mysql: [ERROR] mysql: unknown option '-l'
[[email protected] ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.pem
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
[[email protected] ~]# mysql -u test -h 10.2.11.226 -p -P 3308 --ssl-cert=/data/mysql56/client-cert.pem --ssl-key=/data/mysql56/client-key.pem
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.6.38-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

( Si vous voulez passer par un autre ordinateur ssl Connectez - vous à la base de données de cette machine ,Il fautca.pem,client-cert.pem,client-key.pem Copier sur un autre ordinateur , Ensuite, configurez l'outil pour vous connecter à la base de données en utilisant ssl)

Mentions de copyright
Auteur de cet article [Isoleo],Réimpression s’il vous plaît apporter le lien vers l’original, merci
https://fra.chowdera.com/2022/204/202207221751019959.html

Recommandé par sidebar

Devinez que vous aimez

Recommandé au hasard