Openssl
SSL协议提供的服务主要有:
认证用户和服务器,确保数据发送到正确的客户机和服务器;
加密数据以防止数据中途被窃取;
维护数据的完整性,确保数据在传输过程中不被改变。
为了在MySQL服务器和客户端之间建立SSL联接,服务器系统必须满足:
操作系统安装有OpenSSL或yaSSL;
安装的MySQL版本必须支持SSL。
这里使用OpenSSL。
1.yum install openssl openssl-devel openssl098e
shell>rpm -qa | grep openssl #检查是否安装OpenSSL。MySQL需要openssl的共享库。
openssl-1.0.0-20.el6.x86_64
openssl-devel-1.0.0-20.el6.x86_64
openssl098e-0.9.8e-17.el6.x86_64
2.
mysql> show global variables like ‘have%ssl’; #检查是否支持ssl。NO表示不支持,DISABLE表示支持但未使用
+�D�D�D�D�D+�D�D�D-+
| Variable_name | Value |
+�D�D�D�D�D+�D�D�D-+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
3.
如果是使用编译好的二进制,那默认都支持,如果自行编译,针对5.5版本,需要使用cmake . -DWITH_SSL=system选项。
shell>mkdir -p /data/ssl
shell>cd /data/ssl
#以下创建认证机构的数字认证证书,后续服务器端和客户端的证书都使用该认证机构进行签署。
shell>openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
………+++
…………………………………………………………………………………………………..+++
e is 65537 (0×10001)
shell>openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
#openssl req -new -x509 -key cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
�D
Country Name (2 letter code) [GB]:CN *
State or Province Name (full name) [Berkshire]:SHENZHEN *
Locality Name (eg, city) [Newbury]:SHENZHEN *
Organization Name (eg, company) [My Company Ltd]:CA *
Organizational Unit Name (eg, section) []:MYSQL
Common Name (eg, your name or your server’s hostname) []:master
Email Address []:
为master发证书
openssl genrsa -out master.key 2048
#openssl req -new -key master.key -out master.csr -days 36500
#以下创建服务器端证书
shell>openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
……………….+++
…………+++
writing new private key to ‘server-key.pem’
�D
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
�D
Country Name (2 letter code) [GB]:CN *
State or Province Name (full name) [Berkshire]:SHENZHEN *
Locality Name (eg, city) [Newbury]:SHENZHEN *
Organization Name (eg, company) [My Company Ltd]:CH *
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mysqlserver *
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
shell>openssl rsa -in server-key.pem -out server-key.pem #移除server-key中的passphrase【可选】
writing RSA key
shell>openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem #签署服务端证书
Signature ok
subject=/C=CN/ST=Hangzhou/L=Hangzhou/O=CH/CN=mysqlserver
Getting CA Private Key
#以下创建客户端证书
shell>openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
Generating a 2048 bit RSA private key
………………………………………………………………………………………+++
…+++
writing new private key to ‘client-key.pem’
�D
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
�D
Country Name (2 letter code) [GB]:CN *
State or Province Name (full name) [Berkshire]:SHENZHEN *
Locality Name (eg, city) [Newbury]:SHENZHEN *
Organization Name (eg, company) [My Company Ltd]:CH *
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mysqlclient *
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
shell>openssl rsa -in client-key.pem -out client-key.pem #移除client-key中的passphrase【可选】
writing RSA key
shell>openssl rsa -in client-key.pem -out client-key.pem #移除client-key中的passphrase【可选】
writing RSA key
shell>openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem #签署客户端证书
Signature ok
subject=/C=CN/ST=Hangzhou/L=Hangzhou/O=CH/CN=mysqlclient
Getting CA Private Key
#生成完毕后,验证下
shell>openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
经过上述步骤,就生成了如下文件:
ca-cert.pem在服务器端和客户端都是用--ssl-ca=ca-cert.pem
server-cert.pem,server-key.pem 服务器端指定--ssl-cert=server-cert.pem和--ssl-key=server-key.pem
client-cert.pem,client-key.pem 客户端指定--ssl-cert=client-cert.pem和--ssl-key=client-key.pem
把生成的证书复制到从服并授文件权限
chown -R mysql.mysql /data/ssl/
配置主从后
再配置文件my.conf增加以下参数后重启mysql
change master to master_ssl=1;
change master to master_ssl_ca='/data/ssl/ca-cert.pem';
change master to master_ssl_cert='/data/ssl/server-cert.pem';
change master to master_ssl_key='/data/ssl/server-key.pem';
在主服为从服授权x509 或 ssl
grant replication client,replication slave on *.* to backuprpl@'192.168.1.84' require ssl;
或
grant replication client,replication slave on *.* to backuprpl@'192.168.1.84' identified by 'password';
再自行SSL加密授权:
grant replication client,replication slave on *.* to backuprpl@'192.168.1.84' require x509;
4.
配置SSL连接
如下两种方案均可以实现使用SSL进行配置和赋权。
【方案一】
Server:
在服务器端的配置文件my.cnf中添加如下参数:
[mysqld]
ssl-cert=/data/ssl/server-cert.pem
ssl-key=/data/ssl/server-key.pem
重启mysqld。
用户赋权,用GRANT语句的REQUIRE SSL选项
如:
mysql>create user cert@localhost identified by 'arbt2015';
mysql>grant select on *.* to cert@localhost require ssl;
Client:
mysql -u cert -parbt2015 -P 3306 --ssl-ca=ca-cert.pem
【方案二】
Server:
在服务器端的配置文件my.cnf中添加如下参数:
[mysqld]
ssl
ssl-ca=/data/ssl/ca-cert.pem
ssl-cert=/data/ssl/server-cert.pem
ssl-key=/data/ssl/server-key.pem
重启mysqld。
用户赋权,用GRANT语句的REQUIRE x509选项
如:
mysql>create user cert@localhost identified by 'arbt2015';
mysql>grant select on *.* to cert@localhost require x509;
mysql -u cert -p -P 3306 --ssl-ca=ca-cert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem
#mysql -ucert -p --ssl-ca=ca-cert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem
5.
配置完成后,可以如下方式查看自身对ssl的支持:
mysql> show global variables like '%ssl%'; #查看服务器是否支持SSL连接
+---------------+-------------------------+
| Variable_name | Value |
+---------------+-------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /db/ssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /db/ssl/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /db/ssl/server-key.pem |
+---------------+-------------------------+
mysql> SHOW STATUS LIKE 'Ssl_cipher'; #查看本连接是否是SSL加密的连接
+�D�D�D�D�D+�D�D�D�D�D�D+
| Variable_name | Value |
+�D�D�D�D�D+�D�D�D�D�D�D+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+�D�D�D�D�D+�D�D�D�D�D�D+