mysql5.6开启ssl_百通达网络 -Powered By 专注个人学习

1、查看ssl开启情况

mysql>  SHOW VARIABLES LIKE 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+
1 row in set (0.01 sec)

disabled表示支持ssl，但是没有开启。

2、mysql版本，操作系统版本 root@wufantest01[/root]#cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) mysql> select version(); +-----------+ | version() | +-----------+ | 5.6.45 | +-----------+ 1 row in set (0.00 sec) mysql5.6默认没开ssl，所以如果安全加固需要则可开启。mysql5.7默认开启ssl的，不需要额外开启。

3、通过openssl 制作生成 SSL 证书

生成一个 CA 私钥

root@wufantest01[/root]#openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
...................................................................................................+++
.......+++
e is 65537 (0x10001)
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491048
-rw-------. 1 root root       6706 Sep 12  2017 anaconda-ks.cfg
-rw-r--r--  1 root root       1675 Nov 15 17:27 ca-key.pem

4、通过 CA 私钥生成数字证书

root@wufantest01[/root]#openssl req -new -x509 -nodes -days 3600 \
> -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491052
-rw-------. 1 root root       6706 Sep 12  2017 anaconda-ks.cfg
-rw-r--r--  1 root root       1675 Nov 15 17:27 ca-key.pem
-rw-r--r--  1 root root       1220 Nov 15 17:28 ca.pem

5、创建 MySQL 服务器私钥和请求证书

oot@wufantest01[/root]#openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
....................................................................+++
....................................................................................................................................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491060
-rw-------. 1 root root       6706 Sep 12  2017 anaconda-ks.cfg
-rw-r--r--  1 root root       1675 Nov 15 17:27 ca-key.pem
-rw-r--r--  1 root root       1220 Nov 15 17:28 ca.pem
-rw-r--r--  1 root root       1704 Nov 15 17:29 server-key.pem
-rw-r--r--  1 root root        952 Nov 15 17:29 server-req.pem

6、将生成的私钥转换为 RSA 私钥文件格式 root@wufantest01[/root]#openssl rsa -in server-key.pem -out server-key.pem writing RSA key root@wufantest01[/root]# root@wufantest01[/root]#ll total 8491060 -rw-------. 1 root root 6706 Sep 12 2017 anaconda-ks.cfg -rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem -rw-r--r-- 1 root root 1220 Nov 15 17:28 ca.pem -rw-r--r-- 1 root root 1675 Nov 15 17:29 server-key.pem -rw-r--r-- 1 root root 952 Nov 15 17:29 server-req.pem

7、用CA 证书来生成一个服务器端的数字证书 root@wufantest01[/root]#openssl x509 -req -in server-req.pem -days 3600 \

-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Getting CA Private Key

8、创建客户端的 RSA 私钥和数字证书

root@wufantest01[/root]#openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
...+++
..........................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@wufantest01[/root]#

9、将生成的私钥转换为 RSA 私钥文件格式


root@wufantest01[/root]#openssl rsa -in client-key.pem -out client-key.pem
writing RSA key
root@wufantest01[/root]#

10、用CA 证书来生成一个客户端的数字证书

root@wufantest01[/root]#openssl x509 -req -in client-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting CA Private Key
root@wufantest01[/root]#

11、查看所有生成的SSL文件


root@wufantest01[/root]#ls -l *.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem
-rw-r--r-- 1 root root 1220 Nov 15 17:28 ca.pem
-rw-r--r-- 1 root root 1090 Nov 15 17:31 client-cert.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:31 client-key.pem
-rw-r--r-- 1 root root  952 Nov 15 17:31 client-req.pem
-rw-r--r-- 1 root root 1090 Nov 15 17:30 server-cert.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:29 server-key.pem
-rw-r--r-- 1 root root  952 Nov 15 17:29 server-req.pem

mysql> root@wufantest01[/root]#cp ca.pem server-*.pem /var/lib/mysql/ -v ‘ca.pem’ -> ‘/var/lib/mysql/ca.pem’ ‘server-cert.pem’ -> ‘/var/lib/mysql/server-cert.pem’ ‘server-key.pem’ -> ‘/var/lib/mysql/server-key.pem’ ‘server-req.pem’ -> ‘/var/lib/mysql/server-req.pem’ root@wufantest01[/root]#

12.2、修改 MySQL 数据目录的CA 证书和服务端 SSL 文件所属用户与组 root@wufantest01[/root]#chown -v mysql.mysql /var/lib/mysql/{ca,server*}.pem changed ownership of ‘/var/lib/mysql/ca.pem’ from root:root to mysql:mysql changed ownership of ‘/var/lib/mysql/server-cert.pem’ from root:root to mysql:mysql changed ownership of ‘/var/lib/mysql/server-key.pem’ from root:root to mysql:mysql changed ownership of ‘/var/lib/mysql/server-req.pem’ from root:root to mysql:mysql root@wufantest01[/root]#

12.3、配置 MySQL 服务的配置文件 [/usr/my.cnf]，在[mysqld]节点下加入如下内容：

root@wufantest01[/root]#vi /usr/my.cnf
[mysqld]
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem

13、重启MySQL服务


root@wufantest01[/root]#systemctl stop mysql
root@wufantest01[/root]#systemctl start mysql
root@wufantest01[/root]#systemctl status mysql

● mysql.service - LSB: start and stop MySQL Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled) Active: active (running) since Fri 2019-11-15 17:35:02 CST; 4s ago Docs: man:systemd-sysv-generator(8) Process: 17497 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS) Process: 17523 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=0/SUCCESS) CGroup: /system.slice/mysql.service ├─17528 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql... └─17661 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/my...

Nov 15 17:35:00 wufantest01 systemd[1]: Starting LSB: start and stop My.... Nov 15 17:35:02 wufantest01 mysql[17523]: Starting MySQL.. SUCCESS! Nov 15 17:35:02 wufantest01 systemd[1]: Started LSB: start and stop MySQL. Hint: Some lines were ellipsized, use -l to show in full. root@wufantest01[/root]#

mysql>

15、SSL连接测试

15.1、创建用户不指定ssl连接

Query OK, 0 rows affected (0.00 sec)

15.2、通过密码登陆 root@wufantest01[/root]#mysql -ussl_test -pssl_test Warning: Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.6.45 MySQL Community Server (GPL)

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit Bye root@wufantest01[/root]# 可以看到登陆成功。

15.3、创建用户指定ssl连接 mysql> drop user ssl_test ; Query OK, 0 rows affected (0.01 sec)

mysql> grant all on . to 'ssl_test'@'%' identified by 'ssl_test' require SSL; Query OK, 0 rows affected (0.00 sec)

mysql>

15.4、测试不指定客户端证书直接通过密码登陆,无法登陆成功。 root@wufantest01[/root]#mysql -ussl_test -pssl_test Warning: Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'ssl_test'@'localhost' (using password: YES) root@wufantest01[/root]#

15.5、测试指定客户端证书登陆，登陆成功。 root@wufantest01[/root]#mysql -ussl_test -pssl_test --ssl-cert=client-cert.pem --ssl-key=client-key.pem Warning: Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.6.45 MySQL Community Server (GPL)

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit Bye root@wufantest01[/root]#

博客

mysql5.6开启ssl

admin

热门文章

标签云

友情链接