mysql8.0 使用 x509设置加密连接

# 使用 x509设置加密连接

[root@db145 data]# ls -lhtr /data/mysql/mysql_3306/data/ | grep pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 ca-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 ca.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 server-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 server-cert.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 client-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 client-cert.pem
-rw-r--r-- 1 mysql mysql 452 Jun 6 2019 public_key.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 private_key.pem


# 在配置文件中添加如下内容

[client]
ssl-cert = data/client/client-cert.pem
ssl-key = /data/client/client-key.pem

[mysqld]
ssl-ca=/data/mysql/mysql_3306/data/ca.pem
ssl-cert=/data/mysql/mysql_3306/data/server-cert.pem
ssl-key=/data/mysql/mysql_3306/data/server-key.pem

# 重启数据库服务

mysql> show variables like '%ssl%';
+---------------------------------------------------+---------------------------------------------+
| Variable_name | Value |
+---------------------------------------------------+---------------------------------------------+
| group_replication_recovery_ssl_ca | |
| group_replication_recovery_ssl_capath | |
| group_replication_recovery_ssl_cert | |
| group_replication_recovery_ssl_cipher | |
| group_replication_recovery_ssl_crl | |
| group_replication_recovery_ssl_crlpath | |
| group_replication_recovery_ssl_key | |
| group_replication_recovery_ssl_verify_server_cert | OFF |
| group_replication_recovery_use_ssl | OFF |
| group_replication_ssl_mode | DISABLED |
| have_openssl | YES |
| have_ssl | YES |
| mysqlx_ssl_ca | |
| mysqlx_ssl_capath | |
| mysqlx_ssl_cert | |
| mysqlx_ssl_cipher | |
| mysqlx_ssl_crl | |
| mysqlx_ssl_crlpath | |
| mysqlx_ssl_key | |
| ssl_ca | /data/mysql/mysql_3306/data/ca.pem |
| ssl_capath | |
| ssl_cert | /data/mysql/mysql_3306/data/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_fips_mode | OFF |
| ssl_key | /data/mysql/mysql_3306/data/server-key.pem |
+---------------------------------------------------+---------------------------------------------+
27 rows in set (0.01 sec)

mysql>

将 client-cert.pem client-key.pem 传给客户端
chown -R mysql.mysql /data/client/

# 新建测试账号

mysql> create user 'user_w'@'%' identified by 'user_w_pwd' require X509;
mysql> grant all privileges on *.* to 'user_w'@'%';
[root@db143 client]# mysql -h 192.168.142.145 --ssl-cert=/data/client/client-cert.pem --ssl-key=/data/client/client-key.pem -uuser_w -p'user_w_pwd'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 8.0.18 MySQL Community Server - GPL

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s;
--------------
mysql Ver 8.0.18 for linux-glibc2.12 on x86_64 (MySQL Community Server - GPL)

Connection id: 16
Current database:
Current user: user_w@192.168.142.143
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.18 MySQL Community Server - GPL
Protocol version: 10
Connection: 192.168.142.145 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3306
Uptime: 22 min 7 sec

Threads: 3 Questions: 35 Slow queries: 0 Opens: 1162 Flush tables: 3 Open tables: 48 Queries per second avg: 0.026
--------------

ERROR:
No query specified

mysql> exit

[root@db143 client]# mysql -h 192.168.142.145 -uuser_w -p'user_w_pwd' mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'user_w'@'192.168.142.143' (using password: YES)
[root@db143 client]#
12-16 16:09