Rumah > Artikel > pangkalan data > SSL连接的实例教程
MySQL 5.7--------SSL连接最佳实战
1. 背景
* 在生产环境下,安全总是无法忽视的问题,数据库安全则是重中之重,因为所有的数据都存放在数据库中
* 当使用非加密方式连接MySQL数据库时,在网络中传输的所有信息都是明文的,可以被网络中所有人截取,敏感信息可能被泄露。在传送敏感信息(如密码)时,可以采用SSL连接的方式。
* 版本小于5.7.6时按照 MySQL 5.6 SSL配置的方式进行。
2. MySQL 连接方式
* socket连接
* TCP非SSL连接
* SSL安全连接
* SSL + 密码连接 [version > MySQL 5.7.5]
* SSL + 密码 + 密钥连接
3. SSL 简介
* SSL指的是SSL/TLS,其是一种为了在计算机网络进行安全通信的加密协议。假设用户的传输不是通过SSL的方式,那么其在网络中以明文的方式进行传输,而这给别有用心的人带来了可乘之机。所以,现在很多网站其实默认已经开启了SSL功能,比如Facebook、Twtter、YouTube、淘宝等。
4. 环境 [ 关闭SeLinux ]
* system 环境
[root@MySQL ~]
# cat /etc/redhat-release
CentOS release 6.9 (Final)
[root@MySQL ~]
# uname -r
2.6.32-696.3.2.el6.x86_64
[root@MySQL ~]
# getenforce
Disabled
* MySQL 环境 [ MySQL 5.7安装前面篇章已做详细介绍 ]
have_openssl 与 have_ssl 值都为DISABLED表示ssl未开启
[root@MySQL ~]
# mysql -p'123'
mysql: [Warning] Using a password on the
command
line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection
id
is 6
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and
/or
its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and
/or
its
affiliates. Other names may be trademarks of their respective
owners.
Type
'help;'
or
'\h'
for
help. Type
'\c'
to
clear
the current input statement.
mysql>
select
version();
+-----------+
| version() |
+-----------+
| 5.7.18 |
+-----------+
1 row
in
set
(0.00 sec)
mysql> show variables like
'have%ssl%'
;
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
+---------------+----------+
2 rows
in
set
(0.02 sec)
mysql> show variables like
'port'
;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| port | 3306 |
+---------------+-------+
1 row
in
set
(0.01 sec)
mysql> show variables like
'datadir'
;
+---------------+-------------------+
| Variable_name | Value |
+---------------+-------------------+
| datadir |
/data/mysql_data/
|
+---------------+-------------------+
1 row
in
set
(0.01 sec)
5. SSL配置
* 利用自带工具生成SSL相关文件
[root@MySQL ~]
# /usr/local/mysql/bin/mysql_ssl_rsa_setup --datadir=/data/mysql_data
Generating a 2048 bit RSA private key
..........................................................................+++
.....+++
writing new private key to
'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.......................................................................................................................................................................+++
...+++
writing new private key to
'server-key.pem'
-----
Generating a 2048 bit RSA private key
.....................+++
...........................................+++
writing new private key to
'client-key.pem'
-----
[root@MySQL ~]
# ls -l /data/mysql_data/*.pem
-rw------- 1 root root 1679 Jun 24 20:54
/data/mysql_data/ca-key
.pem
-rw-r--r-- 1 root root 1074 Jun 24 20:54
/data/mysql_data/ca
.pem
-rw-r--r-- 1 root root 1078 Jun 24 20:54
/data/mysql_data/client-cert
.pem
-rw------- 1 root root 1675 Jun 24 20:54
/data/mysql_data/client-key
.pem
-rw------- 1 root root 1675 Jun 24 20:54
/data/mysql_data/private_key
.pem
-rw-r--r-- 1 root root 451 Jun 24 20:54
/data/mysql_data/public_key
.pem
-rw-r--r-- 1 root root 1078 Jun 24 20:54
/data/mysql_data/server-cert
.pem
-rw------- 1 root root 1675 Jun 24 20:54
/data/mysql_data/server-key
.pem
[root@MySQL ~]
# /etc/init.d/mysqld restart
Shutting down MySQL.. SUCCESS!
Starting MySQL. SUCCESS!
have_openssl 与 have_ssl 值都为YES表示ssl开启成功
mysql> show variables like
'have%ssl%'
;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
2 rows
in
set
(0.03 sec)
6. SSL + 密码连接测试
* 创建用户并指定 SSL 连接 [ MySQL 5.7后推荐使用create user 方式创建用户 ]
mysql> create user
'ssl_test'
@
'%'
identified by
'123'
require SSL;
Query OK, 0 rows affected (0.00 sec)
[root@MySQL ~]
# mysql -h 192.168.60.129 -ussl_test -p'123' --ssl=0
mysql: [Warning] Using a password on the
command
line interface can be insecure.
ERROR 1045 (28000): Access denied
for
user
'ssl_test'
@
'192.168.60.129'
(using password: YES)
SSL: Cipher in use is DHE-RSA-AES256-SHA 表示通过SSL连接
[root@MySQL ~]
# mysql -h 192.168.60.129 -ussl_test -p'123' --ssl
mysql: [Warning] Using a password on the
command
line interface can be insecure.
WARNING: --ssl is deprecated and will be removed
in
a future version. Use --ssl-mode instead.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection
id
is 12
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and
/or
its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and
/or
its
affiliates. Other names may be trademarks of their respective
owners.
Type
'help;'
or
'\h'
for
help. Type
'\c'
to
clear
the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18,
for
linux-glibc2.5 (x86_64) using EditLine wrapper
Connection
id
: 12
Current database:
Current user: ssl_test@192.168.60.129
SSL: Cipher
in
use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile:
''
Using delimiter: ;
Server version: 5.7.18 MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.60.129 via TCP
/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 7 min 34 sec
Threads: 1 Questions: 29 Slow queries: 0 Opens: 112 Flush tables: 1 Open tables: 105 Queries per second avg: 0.063
--------------
7. SSL + 密码 + 密钥连接
* 创建用户并指定 X509 [ SSL+密钥 ] 连接 [ MySQL 5.7后推荐使用create user 方式创建用户 ]
mysql> create user
'X509_test'
@
'%'
identified by
'123'
require X509;
Query OK, 0 rows affected (0.00 sec)
[root@MySQL ~]
# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl=0
mysql: [Warning] Using a password on the
command
line interface can be insecure.
ERROR 1045 (28000): Access denied
for
user
'X509_test'
@
'192.168.60.129'
(using password: YES)
[root@MySQL ~]
# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl
mysql: [Warning] Using a password on the
command
line interface can be insecure.
ERROR 1045 (28000): Access denied
for
user
'X509_test'
@
'192.168.60.129'
(using password: YES)
SSL: Cipher in use is DHE-RSA-AES256-SHA 表示通过SSL连接
[root@MySQL ~]
# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl-cert=/data/mysql_data/client-cert.pem --ssl-key=/data/mysql_data/client-key.pem
mysql: [Warning] Using a password on the
command
line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection
id
is 21
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and
/or
its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and
/or
its
affiliates. Other names may be trademarks of their respective
owners.
Type
'help;'
or
'\h'
for
help. Type
'\c'
to
clear
the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18,
for
linux-glibc2.5 (x86_64) using EditLine wrapper
Connection
id
: 21
Current database:
Current user: X509_test@192.168.60.129
SSL: Cipher
in
use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile:
''
Using delimiter: ;
Server version: 5.7.18 MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.60.129 via TCP
/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 18 min 27 sec
Threads: 1 Questions: 40 Slow queries: 0 Opens: 118 Flush tables: 1 Open tables: 111 Queries per second avg: 0.036
--------------
Atas ialah kandungan terperinci SSL连接的实例教程. Untuk maklumat lanjut, sila ikut artikel berkaitan lain di laman web China PHP!