MySQL的SSL加密连接与性能开销
前言 在生产环境下,安全总是无法忽视的问题,数据库安全则是重中之重,因为所有的数据都存放在数据库中。MySQL在5.7版本之前对于安全问题的确考虑并不充分,导致存在比较大的隐患,比如下面的这些问题,可能有些小伙伴知道,有些却还不知道:
MySQL数据库默认安装的用户密码为空
所有用户拥有对于MySQL默认安装test数据库的访问权限(即使没有授予权限)
好在Oracle官方也已经意识到安全的重要性,MySQL 5.7开始安装完成后的root用户的密码不再是空,而是在安装时随机产生一个密码,这也导致了用户安装5.7时发现的与5.6版本比较大的一个不同点。其次,官方已经删除了test数据库,默认安装完后是没有test数据库的。更为重要的是,MySQL 5.7版本提供了更为简单SSL安全访问配置,并且默认连接就采用SSL的加密方式。
何为SSL 下载地址首先看下维基百科是如何定义SSL的:
引用
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
从上面的定义来看,SSL指的是SSL/TLS,其是一种为了在计算机网络进行安全通信的加密协议。假设用户的传输不是通过SSL的方式,那么其在网络中以明文的方式进行传输,而这给别有用心的人带来了可乘之机。所以,现在很多网站其实默认已经开启了SSL功能,比如Facebook、Twtter、YouTube、淘宝等。
在数据库领域,之前Inside君去某公司做技术交流时,该公司介绍其运维平台能够对一些敏感字段做处理,比如取出的密码或资金数据用***来表示,那么DBA就无法看到这部分的私人数据内容。这本身是一个很不错的安全处理方式,但若DBA在本地装一个类似tcpdump的工具,则依然能够通过获取得到的包得到想要的数据。因此,除了在程序端进行展示的安全处理,还需在MySQL服务器端开启安全的加密通信功能,这时就是SSL发挥功能的时候了。
3.MySQL 5.7的SSL配置与使用 如果仔细阅读MySQL 5.7的安装文档INSTALL-BINARY,会发现5.7的安装文档在初始化数据目录之后还额外多做了一个操作,这是之前版本所没有的操作,而该步骤即是对于SSL的安装与配置:
......
shell> bin/mysqld --initialize --user=mysql
shell> bin/mysql_ssl_rsa_setup
......
......
shell> bin/mysqld --initialize --user=mysql
shell> bin/mysql_ssl_rsa_setup
......
运行完命令mysql_ssl_rsa_setup后会发现数据目录下多出了一些以pem结尾的文件,而这些文件就是开启SSL连接所需要的文件:
root@test-1:/usr/local/mysql/data# ls -lh *.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 ca-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Nov 25 14:12 ca.pem
-rw-r--r-- 1 mysql mysql 1.1K Nov 25 14:12 client-cert.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 client-key.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 private_key.pem
-rw-r--r-- 1 mysql mysql 451 Nov 25 14:12 public_key.pem
-rw-r--r-- 1 mysql mysql 1.1K Nov 25 14:12 server-cert.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 server-key.pem
root@test-1:/usr/local/mysql/data# ls -lh *.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 ca-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Nov 25 14:12 ca.pem
-rw-r--r-- 1 mysql mysql 1.1K Nov 25 14:12 client-cert.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 client-key.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 private_key.pem
-rw-r--r-- 1 mysql mysql 451 Nov 25 14:12 public_key.pem
-rw-r--r-- 1 mysql mysql 1.1K Nov 25 14:12 server-cert.pem
-rw------- 1 mysql mysql 1.7K Nov 25 14:12 server-key.pem
若这时启动MySQL数据库并启动应该可以发现如下状态:
mysql>SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
1 row in set (0.00 sec)
mysql>SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
1 row in set (0.00 sec)
该参数表示MySQL服务器开启了SSL功能,而在MySQL 5.7版本下默认就会使用SSL的方式来进行连接,比如:
root@test-1:~# mysql -h10.166.224.32 -udavid
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.9, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 6119
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
......
root@test-1:~# mysql -h10.166.224.32 -udavid
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.9, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 6119
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
......
通过STATUS的SSL列就能判断连接的用户是否使用了SSL,比如上述例子中的Cipher in use is DHE-RSA-AES256-SHA就表示当前david用户是通过SSL的方式进行连接。若在创建用户时,希望该用户每次必须通过SSL方式,则需在创建用户通过REQUIRE SSL来进行设置,对于上述的david用户,可以通过如下方式来进行修改以确保每次通过SSL进行连接,强制不使用SSL进行连接则报错:
mysql> ALTER USER david@'%' REQUIRE SSL;
......
root@test-1:~# mysql -h10.166.224.32 -udavid --ssl=0
ERROR 1045 (28000): Access denied for user 'david'@'10.166.224.32' (using password: YES)
mysql> ALTER USER david@'%' REQUIRE SSL;
......
root@test-1:~# mysql -h10.166.224.32 -udavid --ssl=0
ERROR 1045 (28000): Access denied for user 'david'@'10.166.224.32' (using password: YES)
MySQL 5.6同样支持以SSL的方式进行连接,但是操作相对5.7较为复杂,用户需要自己通过openssl命令来创建各类公密钥,具体可以查看相关官方文档。
SSL性能测试 相信很多小伙伴关心开启SSL加密连接后的性能表现,不可否认的是启用SSL加密连接后,性能必然会有下降。这里的测试采用全内存SELECT主键的方式,因此可以认为是最坏情况的SSL性能开销:
上述的测试是在Inside君的云主机环境下,云主机配置只有4核CPU,故QPS值整体不高,但是应该能够发现开启SSL后的性能开销在25%左右。
另外,由于SSL开销较大的环节在建立连接,所以短链接的开销可能会更大,因此推荐使用长连接或者连接池的方式来减小SSL所带来的额外开销,不过好在MySQL的应用习惯大部分也是长连接的方式。
总结 1.MySQL 5.7配置SSL要比5.6来的简单的多 2.MySQL 5.7客户端默认开启SSL加密连接 3.通常来说,开启SSL加密连接后,性能最大的开销在25%左右
Explain the InnoDB Buffer Pool and its importance for performance.Apr 19, 2025 am 12:24 AMInnoDBBufferPool reduces disk I/O by caching data and indexing pages, improving database performance. Its working principle includes: 1. Data reading: Read data from BufferPool; 2. Data writing: After modifying the data, write to BufferPool and refresh it to disk regularly; 3. Cache management: Use the LRU algorithm to manage cache pages; 4. Reading mechanism: Load adjacent data pages in advance. By sizing the BufferPool and using multiple instances, database performance can be optimized.
MySQL vs. Other Programming Languages: A ComparisonApr 19, 2025 am 12:22 AMCompared with other programming languages, MySQL is mainly used to store and manage data, while other languages such as Python, Java, and C are used for logical processing and application development. MySQL is known for its high performance, scalability and cross-platform support, suitable for data management needs, while other languages have advantages in their respective fields such as data analytics, enterprise applications, and system programming.
Learning MySQL: A Step-by-Step Guide for New UsersApr 19, 2025 am 12:19 AMMySQL is worth learning because it is a powerful open source database management system suitable for data storage, management and analysis. 1) MySQL is a relational database that uses SQL to operate data and is suitable for structured data management. 2) The SQL language is the key to interacting with MySQL and supports CRUD operations. 3) The working principle of MySQL includes client/server architecture, storage engine and query optimizer. 4) Basic usage includes creating databases and tables, and advanced usage involves joining tables using JOIN. 5) Common errors include syntax errors and permission issues, and debugging skills include checking syntax and using EXPLAIN commands. 6) Performance optimization involves the use of indexes, optimization of SQL statements and regular maintenance of databases.
MySQL: Essential Skills for Beginners to MasterApr 18, 2025 am 12:24 AMMySQL is suitable for beginners to learn database skills. 1. Install MySQL server and client tools. 2. Understand basic SQL queries, such as SELECT. 3. Master data operations: create tables, insert, update, and delete data. 4. Learn advanced skills: subquery and window functions. 5. Debugging and optimization: Check syntax, use indexes, avoid SELECT*, and use LIMIT.
MySQL: Structured Data and Relational DatabasesApr 18, 2025 am 12:22 AMMySQL efficiently manages structured data through table structure and SQL query, and implements inter-table relationships through foreign keys. 1. Define the data format and type when creating a table. 2. Use foreign keys to establish relationships between tables. 3. Improve performance through indexing and query optimization. 4. Regularly backup and monitor databases to ensure data security and performance optimization.
MySQL: Key Features and Capabilities ExplainedApr 18, 2025 am 12:17 AMMySQL is an open source relational database management system that is widely used in Web development. Its key features include: 1. Supports multiple storage engines, such as InnoDB and MyISAM, suitable for different scenarios; 2. Provides master-slave replication functions to facilitate load balancing and data backup; 3. Improve query efficiency through query optimization and index use.
The Purpose of SQL: Interacting with MySQL DatabasesApr 18, 2025 am 12:12 AMSQL is used to interact with MySQL database to realize data addition, deletion, modification, inspection and database design. 1) SQL performs data operations through SELECT, INSERT, UPDATE, DELETE statements; 2) Use CREATE, ALTER, DROP statements for database design and management; 3) Complex queries and data analysis are implemented through SQL to improve business decision-making efficiency.
MySQL for Beginners: Getting Started with Database ManagementApr 18, 2025 am 12:10 AMThe basic operations of MySQL include creating databases, tables, and using SQL to perform CRUD operations on data. 1. Create a database: CREATEDATABASEmy_first_db; 2. Create a table: CREATETABLEbooks(idINTAUTO_INCREMENTPRIMARYKEY, titleVARCHAR(100)NOTNULL, authorVARCHAR(100)NOTNULL, published_yearINT); 3. Insert data: INSERTINTObooks(title, author, published_year)VA
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
SublimeText3 English version
Recommended: Win version, supports code prompts!
SublimeText3 Chinese version
Chinese version, very easy to use
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
