Mysql数据库安全链接和密码加密方式及破解

使用SSL安全链接Mysql数据库

一、使用SSL安全连接

To use SSL connections between the MySQL server and client programs, your system must

support either OpenSSL or yaSSL and your version of MySQL must be built with SSL support.

To make it easier to use secure connections, MySQL is bundled with yaSSL as of MySQL

5.0.10. (MySQL and yaSSL employ the same licensing model, whereas OpenSSL uses an

Apache-style license.) yaSSL support initially was available only for a few platforms, but now

it is available on all platforms supported by MySQL AB.

To get secure connections to work with MySQL and SSL, you must do the following:

If you are not using a binary (precompiled) version of MySQL that has been built with SSL

support, and you are going to use OpenSSL rather than the bundled yaSSL library, install

OpenSSL if it has not already been installed. We have tested MySQL with OpenSSL 0.9.6. To

obtain OpenSSL, visit http://www.openssl.org.

If you are not using a binary (precompiled) version of MySQL that has been built with SSL

support, configure a MySQL source distribution to use SSL. When you configure MySQL,

invoke the configure script with the appropriate option to select the SSL library that you

want to use.

For yaSSL:
shell> ./configure --with-yassl

For OpenSSL:
shell> ./configure --with-openssl

Before MySQL 5.0, it was also neccessary to use --with-vio, but that option is no longer

required.

Note that yaSSL support on Unix platforms requires that either /dev/urandom or

/dev/random be available to retrieve true random numbers. For additional information

(especially regarding yaSSL on Solaris versions prior to 2.8 and HP-UX)

Make sure that you have upgraded your grant tables to include the SSL-related columns in

the mysql.user table. This is necessary if your grant tables date from a version of MySQL

older than 4.0.

To check whether a server binary is compiled with SSL support, invoke it with the --ssl

option. An error will occur if the server does not support SSL:

shell> mysqld --ssl --help

060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'To check whether a running

mysqld server supports SSL, examine the value of the have_openssl system variable:

mysql> SHOW VARIABLES LIKE 'have_openssl';
+---------------+-------+|
Variable_name | Value |
+---------------+-------+|
have_openssl  | YES   |
+---------------+-------+

If the value is YES, the server supports SSL connections. If the value is DISABLED, the

server supports SSL connections but was not started with the appropriate --ssl-xxx options

(described later in this section). If the value is YES, the server supports SSL connections.

To start the MySQL server so that it allows clients to connect via SSL, use the options that

identify the key and certificate files the server needs when establishing a secure connection:

shell> mysqld --ssl-ca=cacert.pem /      
         --ssl-cert=server-cert.pem /      
         --ssl-key=server-key.pem

一般情况下mysql服务器会随开机自启动，如果需要支持ssl，则修要修改配置文

件/etc/mysql/my.cnf，设置ssl-ca,ssl-cert,ssl-key. 然后/etc/init.d/mysql restart--ssl-ca

identifies the Certificate Authority (CA) certificate.

--ssl-cert identifies the server public key. This can be sent to the client and authenticated

against the CA certificate that it has.

--ssl-key identifies the server private key.

To establish a secure connection to a MySQL server with SSL support, the options that a

client must specify depend on the SSL requirements of the user account that the client uses.

 

If the account has no special SSL requirements or was created using a GRANT statement

that includes the REQUIRE SSL option, a client can connect securely by using just the --ssl-

ca option:

shell> mysql --ssl-ca=cacert.pem

To require that a client certificate also be specified, create the account using the REQUIRE

X509 option. Then the client must also specify the proper client key and certificate files or

the server will reject the connection:

shell> mysql --ssl-ca=cacert.pem /      
         --ssl-cert=client-cert.pem /      
         --ssl-key=client-key.pem

In other words, the options are similar to those used for the server. Note that the

Certificate Authority certificate has to be the same.

A client can determine whether the current connection with the server uses SSL by checking

the value of the Ssl_cipher status variable. The value of Ssl_cipher is non-empty if SSL is

used, and empty otherwise. For example:

mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value             
|+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA
|+---------------+--------------------+

For the mysql client, you can use the STATUS or /s command and check the SSL line:

mysql> /s...SSL:                   

Not in use...Or:

mysql> /s...SSL:                   

Cipher in use is DHE-RSA-AES256-SHA...To establish a secure connection from within an

application program, use the mysql_ssl_set() C API function to set the appropriate certificate

options before calling mysql_real_connect().

二、对数据库帐号设置不同的安全连接类型

There are a number of different possibilities for limiting connection types for a given

account:
REQUIRE NONE indicates that the account has no SSL or X509 requirements. This is the

default if no SSL-related REQUIRE options are specified. Unencrypted connections are

allowed if the username and password are valid. However, encrypted connections can also

be used, at the client's option, if the client has the proper certificate and key files. That is,

the client need not specify any SSL commmand options, in which case the connection will be

unencrypted. To use an encrypted connection, the client must specify either the --ssl-ca

option, or all three of the --ssl-ca, --ssl-key, and --ssl-cert options.

The REQUIRE SSL option tells the server to allow only SSL-encrypted connections for the

account.

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' 
IDENTIFIED BY 'goodsecret' REQUIRE SSL;

To connect, the client must specify the --ssl-ca option, and may additionally specify the --ssl

-key and --ssl-cert options.

REQUIRE X509 means that the client must have a valid certificate but that the exact

certificate, issuer, and subject do not matter. The only requirement is that it should be

possible to verify its signature with one of the CA certificates.

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' 
IDENTIFIED BY 'goodsecret' REQUIRE X509;

To connect, the client must specify the --ssl-ca, --ssl-key, and --ssl-cert options. This is also

true for ISSUER and SUBJECT because those REQUIRE options imply X509.

REQUIRE ISSUER 'issuer' places the restriction on connection attempts that the client must

present a valid X509 certificate issued by CA 'issuer'. If the client presents a certificate that

is valid but has a different issuer, the server rejects the connection. Use of X509 certificates

always implies encryption, so the SSL option is unnecessary in this case.

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' 
IDENTIFIED BY 'goodsecret' 
REQUIRE ISSUER '/C=FI/ST=Some-State/L=Helsinki/   
O=MySQL Finland AB/CN=Tonu Samuel/[email protected]';

Note that the 'issuer' value should be entered as a single string.
REQUIRE SUBJECT 'subject' places the restriction on connection attempts that the client

must present a valid X509 certificate containing the subject subject. If the client presents a

certificate that is valid but has a different subject, the server rejects the connection.

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' 
IDENTIFIED BY 'goodsecret' 
REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/   
O=MySQL demo client certificate/   
CN=Tonu Samuel/[email protected]';

Note that the 'subject' value should be entered as a single string.
REQUIRE CIPHER 'cipher' is needed to ensure that ciphers and key lengths of sufficient

strength are used. SSL itself can be weak if old algorithms using short encryption keys are

used. Using this option, you can ask that a specific cipher method is used to allow a

connection.

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' 
IDENTIFIED BY 'goodsecret' 
REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';

The SUBJECT, ISSUER, and CIPHER options can be combined in the REQUIRE clause like

this:

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost' 
IDENTIFIED BY 'goodsecret' 
REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/   
O=MySQL demo client certificate/   
CN=Tonu Samuel/[email protected]' 
AND ISSUER '/C=FI/ST=Some-State/L=Helsinki/   
O=MySQL Finland AB/CN=Tonu Samuel/[email protected]' 
AND CIPHER 'EDH-RSA-DES-CBC3-SHA';

The AND keyword is optional between REQUIRE options.

三、为Mysql制作ssl证书
This section demonstrates how to set up SSL certificate and key files for use by MySQL

servers and clients. The first example shows a simplified procedure such as you might use

from the command line. The second shows a script that contains more detail. Both examples

use the openssl command that is part of OpenSSL.

The following example shows a set of commands to create MySQL server and client

certificate and key files. You will need to respond to several prompts by the openssl

commands. For testing, you can press Enter to all prompts. For production use, you should

provide non-empty responses.

# Create clean environment
shell> rm -rf newcertsshell> mkdir newcerts && cd newcerts

# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 /        
         -key ca-key.pem > ca-cert.pem

# Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 /        
         -nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 /        
         -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

# Create client certificate
shell> openssl req -newkey rsa:2048 -days 1000 /        
         -nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 1000 /        
         -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem 

 

mysql通过ssl的方式生成秘钥

-- mysql ssl 生成秘钥

1 check ssl是否已经开启
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_crl       |          |
| ssl_crlpath   |          |
| ssl_key       |          |
+---------------+----------+
9 rows in set (0.00 sec)

2 没有开启,所以打开
在my.cnf末尾端设置ssl 参数， 然后重新启动mysql服务即可
mysql> show variables like '%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
| have_ssl      | YES   |
| ssl_ca        |       |
| ssl_capath    |       |
| ssl_cert      |       |
| ssl_cipher    |       |
| ssl_crl       |       |
| ssl_crlpath   |       |
| ssl_key       |       |
+---------------+-------+
9 rows in set (0.00 sec)

3 通过openssl生成证书的配置, 在mysql db server上生成秘钥
mkdir -p /etc/mysql/newcerts/
cd /etc/mysql/newcerts/

3.1 openssl genrsa 2048 > ca-key.pem
3.2 openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

[root@mysql newcerts]# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:shh
Locality Name (eg, city) [Default City]:shh
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:db
Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos
Email Address []:[email protected]

3.3 openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem
[root@mysql newcerts]# openssl req -newkey  rsa:2048  -days 1000 -nodes -keyout server-key.pem > server-req.pem
Generating a 2048 bit RSA private key
.......................................................................................................+++
..........................................................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:shh
Locality Name (eg, city) [Default City]:ssh
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:db
Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:820923
An optional company name []:xx

4 在mysql db server客户端生成ssl文件
4.1 openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

 [root@mysql newcerts]# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Signature ok
subject=/C=ch/ST=shh/L=ssh/O=ea/OU=db/CN=mysql.yest.nos/[email protected]
Getting CA Private Key

4.2 openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem

[root@mysql newcerts]# openssl  req -newkey  rsa:2048  -days 1000 -nodes -keyout client-key.pem > client-req.pem
Generating a 2048 bit RSA private key
.......+++
........................................................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:shh
Locality Name (eg, city) [Default City]:shh
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:db
Common Name (eg, your name or your server''s hostname) []:mysql.yest.nos
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:820923
An optional company name []:xx

4.3
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

[root@mysql newcerts]# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
Signature ok
subject=/C=ch/ST=shh/L=shh/O=ea/OU=db/CN=mysql.yest.nos/[email protected]
Getting CA Private Key

5
copy clent.* 3个文件到客户端机器上面/opt/mysql/ssl/去。

6 登陆验证
mysql -uxxx -pxxxx --ssl-ca=/opt/mysql/ssl/ca-cert.pem --ssl-cert=/opt/mysql/ssl/server-cert.pem --ssl-key=/opt/mysql/ssl/server-key.pem

详解MYSQL数据库密码的加密方式及破解方法转载连接

1. http://blog.csdn.net/arau_sh/article/details/7619721
2. http://blog.csdn.net/arau_sh/article/details/7619744