mysql8.0 使用 x509设置加密连接

mysql8.0 使用 x509设置加密连接

# 使用 x509设置加密连接

[root@db145 data]# ls -lhtr /data/mysql/mysql_3306/data/ | grep pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 ca-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 ca.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 server-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 server-cert.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 client-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 client-cert.pem
-rw-r--r-- 1 mysql mysql 452 Jun 6 2019 public_key.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 private_key.pem


# 在配置文件中添加如下内容

[client]
ssl-cert = data/client/client-cert.pem
ssl-key = /data/client/client-key.pem

[mysqld]
ssl-ca=/data/mysql/mysql_3306/data/ca.pem
ssl-cert=/data/mysql/mysql_3306/data/server-cert.pem
ssl-key=/data/mysql/mysql_3306/data/server-key.pem

 

# 重启数据库服务

mysql> show variables like '%ssl%';
+---------------------------------------------------+---------------------------------------------+
| Variable_name | Value |
+---------------------------------------------------+---------------------------------------------+
| group_replication_recovery_ssl_ca | |
| group_replication_recovery_ssl_capath | |
| group_replication_recovery_ssl_cert | |
| group_replication_recovery_ssl_cipher | |
| group_replication_recovery_ssl_crl | |
| group_replication_recovery_ssl_crlpath | |
| group_replication_recovery_ssl_key | |
| group_replication_recovery_ssl_verify_server_cert | OFF |
| group_replication_recovery_use_ssl | OFF |
| group_replication_ssl_mode | DISABLED |
| have_openssl | YES |
| have_ssl | YES |
| mysqlx_ssl_ca | |
| mysqlx_ssl_capath | |
| mysqlx_ssl_cert | |
| mysqlx_ssl_cipher | |
| mysqlx_ssl_crl | |
| mysqlx_ssl_crlpath | |
| mysqlx_ssl_key | |
| ssl_ca | /data/mysql/mysql_3306/data/ca.pem |
| ssl_capath | |
| ssl_cert | /data/mysql/mysql_3306/data/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_fips_mode | OFF |
| ssl_key | /data/mysql/mysql_3306/data/server-key.pem |
+---------------------------------------------------+---------------------------------------------+
27 rows in set (0.01 sec)

mysql>

 

将 client-cert.pem client-key.pem 传给客户端
chown -R mysql.mysql /data/client/

# 新建测试账号

mysql> create user 'user_w'@'%' identified by 'user_w_pwd' require X509;
mysql> grant all privileges on *.* to 'user_w'@'%';

 

[root@db143 client]# mysql -h 192.168.142.145 --ssl-cert=/data/client/client-cert.pem --ssl-key=/data/client/client-key.pem -uuser_w -p'user_w_pwd'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 8.0.18 MySQL Community Server - GPL

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s;
--------------
mysql Ver 8.0.18 for linux-glibc2.12 on x86_64 (MySQL Community Server - GPL)

Connection id: 16
Current database:
Current user: user_w@192.168.142.143
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.18 MySQL Community Server - GPL
Protocol version: 10
Connection: 192.168.142.145 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3306
Uptime: 22 min 7 sec

Threads: 3 Questions: 35 Slow queries: 0 Opens: 1162 Flush tables: 3 Open tables: 48 Queries per second avg: 0.026
--------------

ERROR: 
No query specified

mysql> exit

[root@db143 client]# mysql -h 192.168.142.145 -uuser_w -p'user_w_pwd' mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'user_w'@'192.168.142.143' (using password: YES)
[root@db143 client]#

# 如果是从库的话,需要使用自己的pem
[root@db143 data]# mysql -h 192.168.142.143 --ssl-cert=/data/mysql/mysql_3306/data/client-cert.pem --ssl-key=/data/mysql/mysql_3306/data/client-key.pem -uuser_w -p'user_w_pwd' 
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 8.0.18 MySQL Community Server - GPL

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> exit
Bye
[root@db143 data]#

   

 

 

 

# 强制启用ssl复制

mysql> select user,host,ssl_type,ssl_cipher,x509_issuer,x509_subject from mysql.user;
+------------------+-----------+----------+------------+-------------+--------------+
| user             | host      | ssl_type | ssl_cipher | x509_issuer | x509_subject |
+------------------+-----------+----------+------------+-------------+--------------+
| bak              | %         |          |            |             |              |
| monitor          | %         |          |            |             |              |
| proxysql         | %         |          |            |             |              |
| repuser          | %         | X509     |            |             |              |
| user_w           | %         | X509     |            |             |              |
| bak              | localhost |          |            |             |              |
| mysql.infoschema | localhost |          |            |             |              |
| mysql.session    | localhost |          |            |             |              |
| mysql.sys        | localhost |          |            |             |              |
| repuser          | localhost |          |            |             |              |
| root             | localhost |          |            |             |              |
+------------------+-----------+----------+------------+-------------+--------------+
11 rows in set (0.00 sec)

mysql> 

 

# 同步复制启用ssl
stop slave ;
CHANGE MASTER TO
MASTER_HOST='192.168.142.145',
MASTER_USER='repuser',
MASTER_PASSWORD='repuserpwd',
MASTER_PORT=3306,
MASTER_SSL_CERT='/data/client/client-cert.pem',
MASTER_SSL_KEY='client-key.pem',
MASTER_AUTO_POSITION = 1;
start slave ;
show slave status\G; 
posted @ 2019-12-30 16:50  davie2020  阅读(1624)  评论(0编辑  收藏  举报