本文介绍了如何通过SSL连接到Amazon RDS?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试建立与通过Amazon RDS托管的MySQL数据库的SSL连接.我对如何连接感到困惑.

I'm trying to set up an SSL connection to a MySQL database hosted via Amazon RDS. I'm confused as to how to connect.

根据Amazon的文档,我需要下载名为"rds-ca-2015-root.pem"的CA证书,并在我的SSL连接中使用它. 我将与之连接的数据库用户设置为需要SSL.

According to Amazon's documentation, I need to download a CA certificate called "rds-ca-2015-root.pem" and use it in my SSL connection. I set the database user that I am connecting with to require SSL.

在PHP中,我包含以下代码以启动连接:

In PHP, I include the code below to initiate the connection:

$mysqli = mysqli_init();
mysqli_options($mysqli, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$mysqli->ssl_set(NULL, NULL, "/path/to/pem", NULL, NULL);
$mysqli->real_connect("host", "username", "password", "name", 3306, NULL, MYSQLI_CLIENT_SSL);

但是,无论我将哪个路径指定为ssl_set()中的第三个参数(即使该路径无效),也都可以成功建立SSL连接.第三个参数不能设置为NULL.

我通过运行以下查询来验证这一点:SHOW STATUS LIKE 'Ssl_cipher';.输出验证连接已加密(Ssl_cipher => AES256-SHA).

I verify this by running this query: SHOW STATUS LIKE 'Ssl_cipher';. The output verifies that the connection is encrypted (Ssl_cipher => AES256-SHA).

有人可以向我解释这是如何工作的吗?我对为什么路径不正确时为什么连接继续成功工作感到困惑.如何验证RDS服务器?

Could someone please explain to me how this works? I am confused as to why the connection continues to work successfully when the path is incorrect. How is the RDS server being verified?

推荐答案

RDS文档实际上解释了为什么发生这种情况,并建议您甚至不需要CA证书:

The RDS documentation actually explains why this is happening, and suggests that you don't even need the CA cert:

无论您是手动更新证书还是Amazon RDS更新了证书,必须重新启动数据库实例才能使用 新证书生效.您可以决定何时要 手动重新启动数据库实例,但是您必须更新证书 并在旧证书(rds-ca-2010)之前重新启动实例 将于2015年4月3日到期.

Regardless of whether you manually update the certificate or Amazon RDS updated the certificate, the DB instance must be rebooted for the new certificate to take effect. You can decide when you want to manually reboot the DB instance, but you must update the certificate and reboot the instance before the old certificate (rds-ca-2010) expires on April 3, 2015.

您可以检查数据库正在使用的证书颁发机构(CA) Amazon RDS控制台的实例. CA列在 数据库实例详细信息的安全性和网络"部分.如果你的 实例显示rds-ca-2015,则新证书已被 成功申请.您仍然需要重新启动数据库实例 并更新您的客户端应用程序以使用新的SSL证书.

You can check the certificate authority (CA) being used by your DB instance using the Amazon RDS console. The CA is listed under the Security and Network section of your DB instance details. If your instance shows rds-ca-2015, then the new certificate has been successfully applied. You still need to reboot your database instance and update your client application to use the new SSL certificate.

如果Amazon RDS控制台将您的实例CA显示为rds-ca-2010,则 新证书尚未应用于您的数据库实例 然而.使用以下说明在以下位置更新SSL证书 您的数据库实例.

If the Amazon RDS console shows your instance CA as rds-ca-2010, then the new certificate has not been applied to your database instance yet. Use the instructions following to update the SSL certificate on your database instances.

客户端实际上忽略了第三个参数.我通过将第三个参数设置为NULL进行投注,如果所有参数都为空,则调用mysqli::ssl_set()没有意义.

The 3rd parameter is essentially being ignored by the client. I'm betting by setting the 3rd param to NULL, there is no point in calling mysqli::ssl_set() if all the params are null.

尝试完全删除该函数调用.

Try removing that function call altogether.

这篇关于如何通过SSL连接到Amazon RDS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-04 08:14
查看更多