mysql8.0 使用 x509设置加密连接
# 使用 x509设置加密连接
[root@db145 data]# ls -lhtr /data/mysql/mysql_3306/data/ | grep pem -rw------- 1 mysql mysql 1.7K Jun 6 2019 ca-key.pem -rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 ca.pem -rw------- 1 mysql mysql 1.7K Jun 6 2019 server-key.pem -rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 server-cert.pem -rw------- 1 mysql mysql 1.7K Jun 6 2019 client-key.pem -rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 client-cert.pem -rw-r--r-- 1 mysql mysql 452 Jun 6 2019 public_key.pem -rw------- 1 mysql mysql 1.7K Jun 6 2019 private_key.pem
# 在配置文件中添加如下内容
[client] ssl-cert = data/client/client-cert.pem ssl-key = /data/client/client-key.pem [mysqld] ssl-ca=/data/mysql/mysql_3306/data/ca.pem ssl-cert=/data/mysql/mysql_3306/data/server-cert.pem ssl-key=/data/mysql/mysql_3306/data/server-key.pem
# 重启数据库服务
mysql> show variables like '%ssl%'; +---------------------------------------------------+---------------------------------------------+ | Variable_name | Value | +---------------------------------------------------+---------------------------------------------+ | group_replication_recovery_ssl_ca | | | group_replication_recovery_ssl_capath | | | group_replication_recovery_ssl_cert | | | group_replication_recovery_ssl_cipher | | | group_replication_recovery_ssl_crl | | | group_replication_recovery_ssl_crlpath | | | group_replication_recovery_ssl_key | | | group_replication_recovery_ssl_verify_server_cert | OFF | | group_replication_recovery_use_ssl | OFF | | group_replication_ssl_mode | DISABLED | | have_openssl | YES | | have_ssl | YES | | mysqlx_ssl_ca | | | mysqlx_ssl_capath | | | mysqlx_ssl_cert | | | mysqlx_ssl_cipher | | | mysqlx_ssl_crl | | | mysqlx_ssl_crlpath | | | mysqlx_ssl_key | | | ssl_ca | /data/mysql/mysql_3306/data/ca.pem | | ssl_capath | | | ssl_cert | /data/mysql/mysql_3306/data/server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_fips_mode | OFF | | ssl_key | /data/mysql/mysql_3306/data/server-key.pem | +---------------------------------------------------+---------------------------------------------+ 27 rows in set (0.01 sec) mysql>
将 client-cert.pem client-key.pem 传给客户端
chown -R mysql.mysql /data/client/
# 新建测试账号
mysql> create user 'user_w'@'%' identified by 'user_w_pwd' require X509; mysql> grant all privileges on *.* to 'user_w'@'%';
[root@db143 client]# mysql -h 192.168.142.145 --ssl-cert=/data/client/client-cert.pem --ssl-key=/data/client/client-key.pem -uuser_w -p'user_w_pwd' mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 16 Server version: 8.0.18 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> s; -------------- mysql Ver 8.0.18 for linux-glibc2.12 on x86_64 (MySQL Community Server - GPL) Connection id: 16 Current database: Current user: user_w@192.168.142.143 SSL: Cipher in use is TLS_AES_256_GCM_SHA384 Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 8.0.18 MySQL Community Server - GPL Protocol version: 10 Connection: 192.168.142.145 via TCP/IP Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8mb4 Conn. characterset: utf8mb4 TCP port: 3306 Uptime: 22 min 7 sec Threads: 3 Questions: 35 Slow queries: 0 Opens: 1162 Flush tables: 3 Open tables: 48 Queries per second avg: 0.026 -------------- ERROR: No query specified mysql> exit [root@db143 client]# mysql -h 192.168.142.145 -uuser_w -p'user_w_pwd' mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'user_w'@'192.168.142.143' (using password: YES) [root@db143 client]# # 如果是从库的话,需要使用自己的pem [root@db143 data]# mysql -h 192.168.142.143 --ssl-cert=/data/mysql/mysql_3306/data/client-cert.pem --ssl-key=/data/mysql/mysql_3306/data/client-key.pem -uuser_w -p'user_w_pwd' mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or g. Your MySQL connection id is 23 Server version: 8.0.18 MySQL Community Server - GPL Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> exit Bye [root@db143 data]#
# 强制启用ssl复制 mysql> select user,host,ssl_type,ssl_cipher,x509_issuer,x509_subject from mysql.user; +------------------+-----------+----------+------------+-------------+--------------+ | user | host | ssl_type | ssl_cipher | x509_issuer | x509_subject | +------------------+-----------+----------+------------+-------------+--------------+ | bak | % | | | | | | monitor | % | | | | | | proxysql | % | | | | | | repuser | % | X509 | | | | | user_w | % | X509 | | | | | bak | localhost | | | | | | mysql.infoschema | localhost | | | | | | mysql.session | localhost | | | | | | mysql.sys | localhost | | | | | | repuser | localhost | | | | | | root | localhost | | | | | +------------------+-----------+----------+------------+-------------+--------------+ 11 rows in set (0.00 sec) mysql>
# 同步复制启用ssl stop slave ; CHANGE MASTER TO MASTER_HOST='192.168.142.145', MASTER_USER='repuser', MASTER_PASSWORD='repuserpwd', MASTER_PORT=3306, MASTER_SSL_CERT='/data/client/client-cert.pem', MASTER_SSL_KEY='client-key.pem', MASTER_AUTO_POSITION = 1; start slave ; show slave statusG;