MySQL开启SSL

1.生成证书

mysql_ssl_rsa_setup
ll /srv/mysql/data/*.pem

2.修改my.cnf
nano -w etc/my.cnf

[mysqld]
ssl-ca = /srv/mysql/data/ca.pem 
ssl-cert = /srv/mysql/data/server-cert.pem 
ssl-key = /srv/mysql/data/server-key.pem

3.确认是否开启SSL

show global variables like 'have_%ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
| have_ssl      | YES   |
+---------------+-------+
2 rows in set (0.00 sec)

4.查看SSL的加密方式

show global variables like 'tls_version';
+---------------+---------------+
| Variable_name | Value         |
+---------------+---------------+
| tls_version   | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0.00 sec)

5.配置SSL用户

grant all privileges on *.* to root@'%' identified by '123456' require none;
grant all privileges on *.* to bfs@'%' identified by '123456' require ssl;
flush privileges;

6.登陆测试

mysql --ssl-ca=/srv/mysql/data/ca.pem \
      --ssl-cert=/srv/mysql/data/client-cert.pem \
      --ssl-key=/srv/mysql/data/client-key.pem \
      -uroot -p -hlocalhost

7.配置客户端支持

[client]
ssl-ca = /srv/mysql/data/ca.pem
ssl-cert = /srv/mysql/data/client-cert.pem
ssl-key = /srv/mysql/data/client-key.pem

8.建立truststore
keytool -import -alias mysqlServerCACert -file server-cert.pem -keystore truststore
删除
keytool -delete -alias emailcert -keystore truststore
9.建立keystore
openssl x509 -outform DER -in client-cert.pem -out client.cert
keytool -import -file client.cert -keystore keystore -alias mysqlClientCertificate

关于Zeno Chen

本人涉及的领域较多,杂而不精 程序设计语言: Perl, Java, PHP, Python; 数据库系统: MySQL,Oracle; 偶尔做做电路板的开发,主攻STM32单片机
此条目发表在MySQL分类目录。将固定链接加入收藏夹。