mysql5.5等版本如何启用SSL
2016-07-28 14:47
435 查看
第一步,查看mysql是否支持SSL
mysql> show variables like '%ssl%';
如果出现以下结果表示支持,如果没有考虑更换版本,或者编译一个带有SSL版本的mysql
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
第二步,生成证书
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem 对于ubuntu12等版本,一定要加这句话,由于openssl版本不同,会导致该文件格式无法识别,所以一定要转成RSA格式
# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem 对于ubuntu12等版本,一定要加这句话,由于openssl版本不同,会导致该文件格式无法识别,所以一定要转成RSA格式
以上命令会生成
ca-cert.pem ca-key.pem client-cert.pem client-key.pem client-req.pem server-cert.pem server-key.pem server-req.pem
第三步,证书路径位置
默认证书路径必须放置在/etc/mysql下(ca-cert.pem ca-key.pem server-cert.pem server-key.pem server-req.pem),如果放置在其他路径如“/etc/mysql/certs",一定要注意该目录mysql是否可以访问,还需在文件/etc/apparmor.d/usr.sbin.mysqld中,添加该路径/etc/mysql/certs/*.pem r,
第四步,启动SSL
在MySQL的配置文件my.cnf中,在[mysqld]节下,加入(证书路径)
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
ssl
重启MySQL
在MySQL里,看到
mysql> show variables like '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/certs/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/certs/server-cert.pem |
| ssl_cipher | DHE-RSA-AES256-SHA |
| ssl_key | /etc/mysql/certs/server-key.pem |
表示SSL成功启动
第五步,授权mysql用户
grant all privileges on *.* to 'zzz'@'%' identified by 'mysql' require ssl with grant option;
这里授权了一个‘zzz’用户,并给予全部权限
第六步,客户端配置
在客户端的mysql配置文件my.cnf中加入(证书路径)
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/client-cert.pem
ssl-key=/etc/mysql/certs/client-key.pem
更改完后,登陆MySQL
mysql> status
--------------
mysql Ver 14.14 Distrib 5.5.49, for debian-linux-gnu (x86_64) using readline 6.2
Connection id: 7329
Current database:
Current user: zzz@10.142.54.88
SSL: Cipher in use is DHE-RSA-AES256-SHA (如果看到这个,表示整个配置准确)
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.49-0ubuntu0.12.04.1-log (Ubuntu)
Protocol version: 10
Connection: 10.142.54.88 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
TCP port: 3306
Uptime: 32 min 56 sec
Threads: 2 Questions: 343 Slow queries: 1 Opens: 209 Flush tables: 1 Open tables: 202 Queries per second avg: 0.173
--------------
mysql> show variables like '%ssl%';
如果出现以下结果表示支持,如果没有考虑更换版本,或者编译一个带有SSL版本的mysql
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
第二步,生成证书
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem 对于ubuntu12等版本,一定要加这句话,由于openssl版本不同,会导致该文件格式无法识别,所以一定要转成RSA格式
# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem 对于ubuntu12等版本,一定要加这句话,由于openssl版本不同,会导致该文件格式无法识别,所以一定要转成RSA格式
以上命令会生成
ca-cert.pem ca-key.pem client-cert.pem client-key.pem client-req.pem server-cert.pem server-key.pem server-req.pem
第三步,证书路径位置
默认证书路径必须放置在/etc/mysql下(ca-cert.pem ca-key.pem server-cert.pem server-key.pem server-req.pem),如果放置在其他路径如“/etc/mysql/certs",一定要注意该目录mysql是否可以访问,还需在文件/etc/apparmor.d/usr.sbin.mysqld中,添加该路径/etc/mysql/certs/*.pem r,
第四步,启动SSL
在MySQL的配置文件my.cnf中,在[mysqld]节下,加入(证书路径)
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
ssl
重启MySQL
在MySQL里,看到
mysql> show variables like '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/certs/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/certs/server-cert.pem |
| ssl_cipher | DHE-RSA-AES256-SHA |
| ssl_key | /etc/mysql/certs/server-key.pem |
表示SSL成功启动
第五步,授权mysql用户
grant all privileges on *.* to 'zzz'@'%' identified by 'mysql' require ssl with grant option;
这里授权了一个‘zzz’用户,并给予全部权限
第六步,客户端配置
在客户端的mysql配置文件my.cnf中加入(证书路径)
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/client-cert.pem
ssl-key=/etc/mysql/certs/client-key.pem
更改完后,登陆MySQL
mysql> status
--------------
mysql Ver 14.14 Distrib 5.5.49, for debian-linux-gnu (x86_64) using readline 6.2
Connection id: 7329
Current database:
Current user: zzz@10.142.54.88
SSL: Cipher in use is DHE-RSA-AES256-SHA (如果看到这个,表示整个配置准确)
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.49-0ubuntu0.12.04.1-log (Ubuntu)
Protocol version: 10
Connection: 10.142.54.88 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
TCP port: 3306
Uptime: 32 min 56 sec
Threads: 2 Questions: 343 Slow queries: 1 Opens: 209 Flush tables: 1 Open tables: 202 Queries per second avg: 0.173
--------------
相关文章推荐
- 转 MySQL 用户权限详细汇总
- mysql 5.7修改密码
- MySQL优化之四--Mysql基准测试工具(mysqlslap、sysbench)
- MYSQL语句大全
- MYSQL 开启远程访问连接权限
- Spark1.6.2 java实现读取txt文件插入MySql数据库代码
- error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
- mysql 1449 : The user specified as a definer ('root'@'%') does not exist 解决方法
- Mysql日常开发注意要点
- mysql连接超时与jndi数据源配置
- MySQL查询结果保存到本地
- MySQL处理千万级数据查询、分页
- 记录mysql的具体操作明细
- mac下使用brew安装mysql
- MySQL索引总结
- MySQL与PostgreSQL:该选择哪个开源数据库?哪一个更好?
- mysql日志
- MySQL基础(四)——操作数据表
- 关于mysql的join(图)
- mysql 的一些基本操作