mysql5.5等版本如何启用SSL
来源:互联网 发布:java 手游辅助工具 编辑:程序博客网 时间:2024/06/04 00:31
第一步,查看MySQL是否支持SSL
mysql> show variables like '%ssl%';
如果出现以下结果表示支持,如果没有考虑更换版本,或者编译一个带有SSL版本的mysql
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
第二步,生成证书
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem 对于ubuntu12等版本,一定要加这句话,由于openssl版本不同,会导致该文件格式无法识别,所以一定要转成RSA格式
# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem 对于ubuntu12等版本,一定要加这句话,由于openssl版本不同,会导致该文件格式无法识别,所以一定要转成RSA格式
以上命令会生成
ca-cert.pem ca-key.pem client-cert.pem client-key.pem client-req.pem server-cert.pem server-key.pem server-req.pem
第三步,证书路径位置
默认证书路径必须放置在/etc/mysql下(ca-cert.pem ca-key.pem server-cert.pem server-key.pem server-req.pem),如果放置在其他路径如“/etc/mysql/certs",一定要注意该目录mysql是否可以访问,还需在文件/etc/apparmor.d/usr.sbin.mysqld中,添加该路径/etc/mysql/certs/*.pem r,
第四步,启动SSL
在MySQL的配置文件my.cnf中,在[mysqld]节下,加入(证书路径)
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
ssl
重启MySQL
在MySQL里,看到
mysql> show variables like '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/certs/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/certs/server-cert.pem |
| ssl_cipher | DHE-RSA-AES256-SHA |
| ssl_key | /etc/mysql/certs/server-key.pem |
表示SSL成功启动
第五步,授权mysql用户
grant all privileges on *.* to 'zzz'@'%' identified by 'mysql' require ssl with grant option;
这里授权了一个‘zzz’用户,并给予全部权限
第六步,客户端配置
在客户端的mysql配置文件my.cnf中加入(证书路径)
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/client-cert.pem
ssl-key=/etc/mysql/certs/client-key.pem
更改完后,登陆MySQL
--------------
mysql Ver 14.14 Distrib 5.5.49, for debian-linux-gnu (x86_64) using readline 6.2
Current database:
Current user: zzz@10.142.54.88
SSL: Cipher in use is DHE-RSA-AES256-SHA (如果看到这个,表示整个配置准确)
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.49-0ubuntu0.12.04.1-log (Ubuntu)
Protocol version: 10
Connection: 10.142.54.88 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
TCP port: 3306
Uptime: 32 min 56 sec
--------------
- mysql5.5等版本如何启用SSL
- mysql5.5等版本如何启用SSL
- 【转】etcd 启用 https-如何搞定证书、秘钥、SSL、TSL加密等问题
- mysql5.5版本安装
- android编译user版本,如何启用user版本的adb
- centOS 安装mysql5.5版本
- Rational BuildForge 如何启用 SSL,以使 Build Forge 组件之间进行SSL通信
- 27.1.2 启用SSL
- IIS启用SSL
- apache 虚拟主机启用SSL
- Apache https(SSL)启用
- tomcat启用ssl
- 启用TOMCAT的SSL
- tomcat启用ssl
- Apache启用SSL
- 【dashboard】horizon启用ssl
- nginx启用ssl【nginx】
- AWS启用SSL
- 软件工程师,在接下来的5-10年内应该掌握的技术
- 高级I/O函数之socketpair
- 详解UIView的frame、bounds、center属性
- 选择排序
- 判断是手机网络,还是无线WIFE网络,或者没有网络
- mysql5.5等版本如何启用SSL
- 【HDU】2190 - 悼念512汶川大地震遇难同胞——重建希望小学(递推)
- 洗清UI自动化鸡肋说的不白之冤
- 学习笔记--EditText点击全选效果
- ES6学习笔记 (let、const)
- impala的APPX_COUNT_DISTINCT参数
- learning to rank
- 快速Android开发系列网络篇之Android-Async-Http
- C#重写和覆写区别
