一. SSL安装
SSL(Secure Socket Layer)是维护Client - Server之间加密通讯的一套安全协议;
--默认ssl未开启
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+----------+
9 rows in set (0.00 sec)
1. 开启SSL (5.7.18)
- 环境说明
- 服务端A:MySQLserver; IP:192.168.48.168;
- 客户端B:MySQLserver; IP:192.168.24.38;
-- 服务端A:MySQLserver; IP:192.168.48.168;
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# bin/mysql_ssl_rsa_setup --datadir=/r2/soft/dbtest/mysql-5.7.18/mysqldata --user=mysql --uid=mysql --使用--uid后,就不需要chown mysql.mysql *.pem
Generating a 2048 bit RSA private key
..+++
......+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
..............................................................+++
...........................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.............+++
................+++
writing new private key to 'client-key.pem'
-----
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# ll mysqldata/|grep pem
-rw------- 1 mysql mysql 1675 11月 28 10:21 ca-key.pem
-rw-r--r-- 1 mysql mysql 1074 11月 28 10:21 ca.pem
-rw-r--r-- 1 mysql mysql 1078 11月 28 10:21 client-cert.pem #客户端证书文件
-rw------- 1 mysql mysql 1679 11月 28 10:21 client-key.pem #客户端私钥文件
-rw------- 1 mysql mysql 1675 11月 28 10:21 private_key.pem #用于密钥交换的公钥
-rw-r--r-- 1 mysql mysql 451 11月 28 10:21 public_key.pem #用户密钥交换的私钥
-rw-r--r-- 1 mysql mysql 1078 11月 28 10:21 server-cert.pem #服务器端证书文件
-rw------- 1 mysql mysql 1675 11月 28 10:21 server-key.pem #服务器端私钥文件
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# mysqladmin -uroot -piforgot --socket=/r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock shutdown
2017-11-28T02:21:55.829485Z mysqld_safe mysqld from pid file /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysqldb.pid ended
[1]+ 完成 /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18]# /r2/soft/dbtest/mysql-5.7.18/bin/mysqld_safe --defaults-file=/r2/soft/dbtest/mysql-5.7.18/my.cnf &
[1] 159680
关于几个pem文件的用途说面,见官方文档,并搜索关键字
private/public key-pair
- 开始测试
- 服务端A:MySQLserver; IP:192.168.48.168;
-- 服务端A:MySQLserver; IP:192.168.48.168;
mysql> show variables like "%ssl%";
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES | -- 已经支持SSL
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem | -- 公钥文件
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem | -- 私钥文件
+---------------+-----------------+
9 rows in set (0.00 sec)
mysql> s -- status
--------------
/r2/soft/dbtest/mysql-5.7.18/bin/mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 802
Current database:
Current user: root@localhost
SSL: Not in use --此时本地socket登录,不用SSL
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /r2/soft/dbtest/mysql-5.7.18/mysqldata/mysql.sock
Uptime: 15 min 41 sec
Threads: 1 Questions: 5694 Slow queries: 0 Opens: 3439 Flush tables: 1 Open tables: 729 Queries per second avg: 6.051
--------------
--创建测试账号
mysql> create user 'ssl'@'%' identified by 'ssltest';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'ssl'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> show grants for 'ssl'@'%';
+------------------------------------------+
| Grants for ssl@% |
+------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'ssl'@'%' |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> select ssl_type from mysql.user where user='ssl';
+----------+
| ssl_type |
+----------+
| | --看到ssl_还没有配置
+----------+
1 row in set (0.00 sec)
- 客户端B:MySQLserver; IP:192.168.24.38;默认使用ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2264
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
(ssl@192.168.48.168) 11:06:57 [(none)]> s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 2264
Current database:
Current user: ssl@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA --已经使用了ssl登录了
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 44 min 55 sec
Threads: 2 Questions: 16275 Slow queries: 0 Opens: 8527 Flush tables: 1 Open tables: 1024 Queries per second avg: 6.038
--------------
- 客户端B:MySQLserver; IP:192.168.24.38;使用skip ssl登录
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2601
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
(ssl@192.168.48.168) 11:11:55 [(none)]> s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 2601
Current database:
Current user: ssl@192.168.24.38
SSL: Not in use --表示为只用ssl
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 49 min 56 sec
Threads: 2 Questions: 18098 Slow queries: 0 Opens: 9366 Flush tables: 1 Open tables: 1024 Queries per second avg: 6.040
- 强制用户使用ssl登录
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
mysql> alter user 'ssl'@'%' require ssl;
Query OK, 0 rows affected (0.00 sec)
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest --skip-ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
ERROR 1045 (28000): Access denied for user 'ssl'@'192.168.24.38' (using password: YES) --禁用了SSL就无法登录了
[root@node2 ~]# mysql -h192.168.48.168 -ussl -pssltest
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 3023
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
(ssl@192.168.48.168) 11:20:00 [(none)]> s status;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 3023
Current database:
Current user: ssl@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 58 min 10 sec
Threads: 2 Questions: 21080 Slow queries: 0 Opens: 10700 Flush tables: 1 Open tables: 1024Queries per second avg: 6.040
--------------
2. 开启证书认证(5.7.18)
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
mysql> create user 'sslcatti'@'%' identified by 'sslcatti';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'sslcatti'@'%';
Query OK, 0 rows affected (0.00 sec)
mysql> alter user 'sslcatti'@'%' require x509; -- 启用证书认证
Query OK, 0 rows affected (0.00 sec)
mysql> select ssl_type from mysql.user where user='sslcatti';
+----------+
| ssl_type |
+----------+
| X509 |
+----------+
1 row in set (0.00 sec)
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'sslcatti'@'192.168.24.38' (using password: YES)
-- 即使默认开启了ssl,也是无法登录的
- 把pem文件拷贝到客服端B
--
-- 服务端A:MySQLserver; IP:192.168.48.168;
--
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# pwd
/r2/soft/dbtest/mysql-5.7.18/mysqldata
[root@localhost-m(252) /r2/soft/dbtest/mysql-5.7.18/mysqldata]# scp client-cert.pem client-key.pem root@192.168.24.38:~/
The authenticity of host '192.168.24.38 (192.168.24.38)' can't be established.
ECDSA key fingerprint is 06:c0:78:4d:99:10:db:76:9f:78:92:ac:ab:cb:a7:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.24.38' (ECDSA) to the list of known hosts.
root@192.168.24.38's password:
client-cert.pem 100% 1078 1.1KB/s 00:00
client-key.pem 100% 1679 1.6KB/s 00:00
- 客户端用证书登录
-
- 客户端B:MySQLserver; IP:192.168.24.38;
-
[root@node2 ~]# ll |grep pem
-rw-r--r-- 1 root root 1078 Nov 28 11:34 client-cert.pem
-rw------- 1 root root 1679 Nov 28 11:34 client-key.pem
[root@node2 ~]# mysql -h192.168.48.168 -usslcatti -psslcatti --ssl-cert=./client-cert.pem --ssl-key=./client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 3868
Server version: 5.7.18-log MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
(sslcatti@192.168.48.168) 11:36:28 [(none)]> s;
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 3868
Current database:
Current user: sslcatti@192.168.24.38
SSL: Cipher in use is DHE-RSA-AES256-SHA --使用加密方式登录,且通过证书,因为这个用户
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.48.168 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 1 hour 14 min 31 sec
Threads: 1 Questions: 27036 Slow queries: 0 Opens: 13349 Flush tables: 1 Open tables: 1024Queries per second avg: 6.046
--------------