1、查看ssl开启情况
mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_ssl | DISABLED |
+---------------+----------+
1 row in set (0.01 sec)
disabled表示支持ssl,但是没有开启。
2、mysql版本,操作系统版本
root@wufantest01[/root]#cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.6.45 |
+-----------+
1 row in set (0.00 sec)
mysql5.6默认没开ssl,所以如果安全加固需要则可开启。mysql5.7默认开启ssl的,不需要额外开启。
3、通过openssl 制作生成 SSL 证书
生成一个 CA 私钥
root@wufantest01[/root]#openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
...................................................................................................+++
.......+++
e is 65537 (0x10001)
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491048
-rw-------. 1 root root 6706 Sep 12 2017 anaconda-ks.cfg
-rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem
4、通过 CA 私钥生成数字证书
root@wufantest01[/root]#openssl req -new -x509 -nodes -days 3600 \
> -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491052
-rw-------. 1 root root 6706 Sep 12 2017 anaconda-ks.cfg
-rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem
-rw-r--r-- 1 root root 1220 Nov 15 17:28 ca.pem
5、创建 MySQL 服务器 私钥和请求证书
root@wufantest01[/root]#openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
....................................................................+++
....................................................................................................................................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491060
-rw-------. 1 root root 6706 Sep 12 2017 anaconda-ks.cfg
-rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem
-rw-r--r-- 1 root root 1220 Nov 15 17:28 ca.pem
-rw-r--r-- 1 root root 1704 Nov 15 17:29 server-key.pem
-rw-r--r-- 1 root root 952 Nov 15 17:29 server-req.pem
6、将生成的私钥转换为 RSA 私钥文件格式
root@wufantest01[/root]#openssl rsa -in server-key.pem -out server-key.pem
writing RSA key
root@wufantest01[/root]#
root@wufantest01[/root]#ll
total 8491060
-rw-------. 1 root root 6706 Sep 12 2017 anaconda-ks.cfg
-rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem
-rw-r--r-- 1 root root 1220 Nov 15 17:28 ca.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:29 server-key.pem
-rw-r--r-- 1 root root 952 Nov 15 17:29 server-req.pem
7、用CA 证书来生成一个服务器端的数字证书
root@wufantest01[/root]#openssl x509 -req -in server-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting CA Private Key
8、创建客户端的 RSA 私钥和数字证书
root@wufantest01[/root]#openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
...+++
..........................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@wufantest01[/root]#
9、将生成的私钥转换为 RSA 私钥文件格式
root@wufantest01[/root]#openssl rsa -in client-key.pem -out client-key.pem
writing RSA key
root@wufantest01[/root]#
10、用CA 证书来生成一个客户端的数字证书
root@wufantest01[/root]#openssl x509 -req -in client-req.pem -days 3600 \
> -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting CA Private Key
root@wufantest01[/root]#
11、查看所有生成的SSL文件
root@wufantest01[/root]#ls -l *.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:27 ca-key.pem
-rw-r--r-- 1 root root 1220 Nov 15 17:28 ca.pem
-rw-r--r-- 1 root root 1090 Nov 15 17:31 client-cert.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:31 client-key.pem
-rw-r--r-- 1 root root 952 Nov 15 17:31 client-req.pem
-rw-r--r-- 1 root root 1090 Nov 15 17:30 server-cert.pem
-rw-r--r-- 1 root root 1675 Nov 15 17:29 server-key.pem
-rw-r--r-- 1 root root 952 Nov 15 17:29 server-req.pem
12、MySQL 配置启动 SSL
12.1、复制 CA 证书和服务端SSL文件至MySQL 数据目录
mysql> show variables like 'datadir' ;
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| datadir | /var/lib/mysql/ |
+---------------+-----------------+
1 row in set (0.01 sec)
mysql>
root@wufantest01[/root]#cp ca.pem server-*.pem /var/lib/mysql/ -v
‘ca.pem’ -> ‘/var/lib/mysql/ca.pem’
‘server-cert.pem’ -> ‘/var/lib/mysql/server-cert.pem’
‘server-key.pem’ -> ‘/var/lib/mysql/server-key.pem’
‘server-req.pem’ -> ‘/var/lib/mysql/server-req.pem’
root@wufantest01[/root]#
12.2、修改 MySQL 数据目录的CA 证书和服务端 SSL 文件所属用户与组
root@wufantest01[/root]#chown -v mysql.mysql /var/lib/mysql/{ca,server*}.pem
changed ownership of ‘/var/lib/mysql/ca.pem’ from root:root to mysql:mysql
changed ownership of ‘/var/lib/mysql/server-cert.pem’ from root:root to mysql:mysql
changed ownership of ‘/var/lib/mysql/server-key.pem’ from root:root to mysql:mysql
changed ownership of ‘/var/lib/mysql/server-req.pem’ from root:root to mysql:mysql
root@wufantest01[/root]#
12.3、配置 MySQL 服务的配置文件 [/usr/my.cnf],在[mysqld]节点下加入如下内容:
root@wufantest01[/root]#vi /usr/my.cnf
[mysqld]
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
13、重启MySQL服务
root@wufantest01[/root]#systemctl stop mysql
root@wufantest01[/root]#systemctl start mysql
root@wufantest01[/root]#systemctl status mysql
● mysql.service - LSB: start and stop MySQL
Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)
Active: active (running) since Fri 2019-11-15 17:35:02 CST; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 17497 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS)
Process: 17523 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/mysql.service
├─17528 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql...
└─17661 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/my...
Nov 15 17:35:00 wufantest01 systemd[1]: Starting LSB: start and stop My....
Nov 15 17:35:02 wufantest01 mysql[17523]: Starting MySQL.. SUCCESS!
Nov 15 17:35:02 wufantest01 systemd[1]: Started LSB: start and stop MySQL.
Hint: Some lines were ellipsized, use -l to show in full.
root@wufantest01[/root]#
14、登陆查看SSL开启状态have_openssl 与 have_ssl 值都为YES表示ssl开启成功
mysql> show variables like '%ssl%' ;
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
9 rows in set (0.00 sec)
mysql>
15、SSL连接测试
15.1、创建用户不指定ssl连接
mysql> grant all on *.* to 'ssl_test'@'%' identified by 'ssl_test';
Query OK, 0 rows affected (0.00 sec)
15.2、通过密码登陆
root@wufantest01[/root]#mysql -ussl_test -pssl_test
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.45 MySQL Community Server (GPL)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> quit
Bye
root@wufantest01[/root]#
可以看到登陆成功。
15.3、创建用户指定ssl连接
mysql> drop user ssl_test ;
Query OK, 0 rows affected (0.01 sec)
mysql> grant all on *.* to 'ssl_test'@'%' identified by 'ssl_test' require SSL;
Query OK, 0 rows affected (0.00 sec)
mysql>
15.4、测试不指定客户端证书直接通过密码登陆,无法登陆成功。
root@wufantest01[/root]#mysql -ussl_test -pssl_test
Warning: Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'ssl_test'@'localhost' (using password: YES)
root@wufantest01[/root]#
15.5、测试指定客户端证书登陆,登陆成功。
root@wufantest01[/root]#mysql -ussl_test -pssl_test --ssl-cert=client-cert.pem --ssl-key=client-key.pem
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.6.45 MySQL Community Server (GPL)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> quit
Bye
root@wufantest01[/root]#