创建SSL证书
创建保存证书文件的目录:
sudo mkdir /var/lib/mysql/pki cd /var/lib/mysql/pki
创建CA证书和私钥:
sudo openssl genrsa -out ca-key.pem 2048 sudo openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem
上面的命令将生成2048位密钥长度,并创建新的1年(365天)私钥。
在创建私钥时,系统会提示我们输入我们生成的密钥的详细信息。
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MN Locality Name (eg, city) []:BP Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
创建服务器私钥
sudo openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem
完成后,使用以下命令将服务器的私钥导出为RSA型的密钥:
sudo sudo openssl rsa -in server-key.pem -out server-key.pem
生成SSL/TLS Cert:
sudo openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
在目录中,我们应该有这些文件:
- ca-cert.pem.
- ca-key.pem.
- server-cert.pem.
- server-key.pem.
- server-req.pem.
如何在MySQL服务器上启用自签名的SSL/TLS证书
如何设置只能通过SSL连接连接到MySQL服务器?
配置MySQL SSL/TLS连接
我们已经创建了一个自签名证书,转到MySQL并配置以便通过SSL/TLS连接。
修改目录的所有者:
sudo chown -R mysql. /var/lib/mysql/pki
完成后,打开MySQL配置文件。
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
修改下面内容,启用SSL/TLS
# this is only for the mysqld standalone daemon [mysqld] # # * Basic Settings # user = mysql pid-file = /run/mysqld/mysqld.pid socket = /run/mysqld/mysqld.sock #port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql #skip-external-locking ssl-ca=/var/lib/mysql/pki/ca-cert.pem ssl-cert=/var/lib/mysql/pki/server-cert.pem ssl-key=/var/lib/mysql/pki/server-key.pem require_secure_transport = ON . . . . . . . . . . . . . . . . . . . .
Require_secure_transport = On 选项强制所有用户通过SSL连接数据库。
重新启动MySQL:
sudo systemctl restart mysql
接下来,运行以下命令,通过SSL连接到MySQL,验证SSL/TLS设置:
sudo mysql -u root -p --ssl-mode=required
然后执行下面的查询语句:
show variables like '%ssl%';
输出示例:
+-------------------------------------+------------------------------------+ | Variable_name | Value | +-------------------------------------+------------------------------------+ | admin_ssl_ca | | | admin_ssl_capath | | | admin_ssl_cert | | | admin_ssl_cipher | | | admin_ssl_crl | | | admin_ssl_crlpath | | | admin_ssl_key | | | have_openssl | YES | | have_ssl | YES | | mysqlx_ssl_ca | | | mysqlx_ssl_capath | | | mysqlx_ssl_cert | | | mysqlx_ssl_cipher | | | mysqlx_ssl_crl | | | mysqlx_ssl_crlpath | | | mysqlx_ssl_key | | | performance_schema_show_processlist | OFF | | ssl_ca | /var/lib/mysql/pki/ca-cert.pem | | ssl_capath | | | ssl_cert | /var/lib/mysql/pki/server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_fips_mode | OFF | | ssl_key | /var/lib/mysql/pki/server-key.pem | +-------------------------------------+------------------------------------+
MySQL中的“HAS_SSL”表示是否可用SSL支持,而“HARD_OPENSSL”则表示,是否已编译openssl。
要通过客户端连接到SSL/TLS,请运行以下命令:
sudo mysql --ssl-mode=REQUIRED
查看使用的密码:
show status like 'ssl_cipher';
输出应该类似下面内容:
+---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | Ssl_cipher | TLS_AES_256_GCM_SHA384 | +---------------+------------------------+ 1 row in set (0.00 sec)
启用SSL/TLS后,创建用户并要求SSL/TLS登录。
create user dbuser identified by 'password_here' require ssl;
要强制所有连接以使用SSL,执行下面的SQL语句。
强制root用户在连接之前使用SSL:
UPDATE mysql.user SET ssl_type = 'ANY' WHERE user = 'root'; FLUSH PRIVILEGES;
检查MySQL状态以查看当前配置:
mysql Ver 8.0.23-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu)) Connection id: 12 Current database: Current user: root@localhost SSL: Cipher in use is TLS_AES_256_GCM_SHA384 Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 8.0.23-0ubuntu0.20.04.1 (Ubuntu) Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8mb4 Conn. characterset: utf8mb4 UNIX socket: /var/run/mysqld/mysqld.sock Binary data as: Hexadecimal Uptime: 5 min 10 sec
日期:2020-07-07 20:55:02 来源:oir作者:oir