MySQL 5.7 SSL連接最佳實戰 1. 背景 * 在生產環境下,安全總是無法忽視的問題,資料庫安全則是重中之重,因為所有的數據都存放在資料庫中 * 當使用非加密方式連接MySQL資料庫時,在網路中傳輸的所有信息都是明文的,可以被網路中所有人截取,敏感信息可能被泄露。在傳送敏感信息(如密碼)時, ...
MySQL 5.7--------SSL連接最佳實戰
1. 背景
* 在生產環境下,安全總是無法忽視的問題,資料庫安全則是重中之重,因為所有的數據都存放在資料庫中
* 當使用非加密方式連接MySQL資料庫時,在網路中傳輸的所有信息都是明文的,可以被網路中所有人截取,敏感信息可能被泄露。在傳送敏感信息(如密碼)時,可以採用SSL連接的方式。
* 版本小於5.7.6時按照 MySQL 5.6 SSL配置的方式進行。
2. MySQL 連接方式
* socket連接
* TCP非SSL連接
* SSL安全連接
* SSL + 密碼連接 [version > MySQL 5.7.5]
* SSL + 密碼 + 密鑰連接
3. SSL 簡介
* SSL指的是SSL/TLS,其是一種為了在電腦網路進行安全通信的加密協議。假設用戶的傳輸不是通過SSL的方式,那麼其在網路中以明文的方式進行傳輸,而這給別有用心的人帶來了可乘之機。所以,現在很多網站其實預設已經開啟了SSL功能,比如Facebook、Twtter、YouTube、淘寶等。
4. 環境 [ 關閉SeLinux ]
* system 環境
[root@MySQL ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
[root@MySQL ~]# uname -r
2.6.32-696.3.2.el6.x86_64
[root@MySQL ~]# getenforce
Disabled
* MySQL 環境 [ MySQL 5.7安裝前面篇章已做詳細介紹 ]
have_openssl 與 have_ssl 值都為DISABLED表示ssl未開啟
[root@MySQL ~]# mysql -p'123'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.7.18 |
+-----------+
1 row in set (0.00 sec)
mysql> show variables like 'have%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
+---------------+----------+
2 rows in set (0.02 sec)
mysql> show variables like 'port';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| port | 3306 |
+---------------+-------+
1 row in set (0.01 sec)
mysql> show variables like 'datadir';
+---------------+-------------------+
| Variable_name | Value |
+---------------+-------------------+
| datadir | /data/mysql_data/ |
+---------------+-------------------+
1 row in set (0.01 sec)
5. SSL配置
* 利用自帶工具生成SSL相關文件
[root@MySQL ~]# /usr/local/mysql/bin/mysql_ssl_rsa_setup --datadir=/data/mysql_data
Generating a 2048 bit RSA private key
..........................................................................+++
.....+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
.......................................................................................................................................................................+++
...+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.....................+++
...........................................+++
writing new private key to 'client-key.pem'
-----
* 查看生成的SSL文件
[root@MySQL ~]# ls -l /data/mysql_data/*.pem
-rw------- 1 root root 1679 Jun 24 20:54 /data/mysql_data/ca-key.pem
-rw-r--r-- 1 root root 1074 Jun 24 20:54 /data/mysql_data/ca.pem
-rw-r--r-- 1 root root 1078 Jun 24 20:54 /data/mysql_data/client-cert.pem
-rw------- 1 root root 1675 Jun 24 20:54 /data/mysql_data/client-key.pem
-rw------- 1 root root 1675 Jun 24 20:54 /data/mysql_data/private_key.pem
-rw-r--r-- 1 root root 451 Jun 24 20:54 /data/mysql_data/public_key.pem
-rw-r--r-- 1 root root 1078 Jun 24 20:54 /data/mysql_data/server-cert.pem
-rw------- 1 root root 1675 Jun 24 20:54 /data/mysql_data/server-key.pem
* 重啟 MySQL 服務
[root@MySQL ~]# /etc/init.d/mysqld restart
Shutting down MySQL.. SUCCESS!
Starting MySQL. SUCCESS!
* 連接MySQL 查看SSL開啟狀態
have_openssl 與 have_ssl 值都為YES表示ssl開啟成功
mysql> show variables like 'have%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
2 rows in set (0.03 sec)
6. SSL + 密碼連接測試
* 創建用戶並指定 SSL 連接 [ MySQL 5.7後推薦使用create user 方式創建用戶 ]
mysql> create user 'ssl_test'@'%' identified by '123' require SSL;
Query OK, 0 rows affected (0.00 sec)
* 通過密碼連接測試 [ 預設採用SSL連接,需要指定不使用SSL連接 ]
[root@MySQL ~]# mysql -h 192.168.60.129 -ussl_test -p'123' --ssl=0
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'ssl_test'@'192.168.60.129' (using password: YES)
* 通過 SSL + 密碼 連接測試
SSL: Cipher in use is DHE-RSA-AES256-SHA 表示通過SSL連接
[root@MySQL ~]# mysql -h 192.168.60.129 -ussl_test -p'123' --ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 12
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18 MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.60.129 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 7 min 34 sec
Threads: 1 Questions: 29 Slow queries: 0 Opens: 112 Flush tables: 1 Open tables: 105 Queries per second avg: 0.063
--------------
7. SSL + 密碼 + 密鑰連接
* 創建用戶並指定 X509 [ SSL+密鑰 ] 連接 [ MySQL 5.7後推薦使用create user 方式創建用戶 ]
mysql> create user 'X509_test'@'%' identified by '123' require X509;
Query OK, 0 rows affected (0.00 sec)
* 通過密碼連接測試
[root@MySQL ~]# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl=0
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'X509_test'@'192.168.60.129' (using password: YES)
* 通過 SSL +密碼 連接測試
[root@MySQL ~]# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'X509_test'@'192.168.60.129' (using password: YES)
* 通過 SSL + 密碼+密鑰連接測試
SSL: Cipher in use is DHE-RSA-AES256-SHA 表示通過SSL連接
[root@MySQL ~]# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl-cert=/data/mysql_data/client-cert.pem --ssl-key=/data/mysql_data/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using EditLine wrapper
Connection id: 21
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18 MySQL Community Server (GPL)
Protocol version: 10
Connection: 192.168.60.129 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 18 min 27 sec
Threads: 1 Questions: 40 Slow queries: 0 Opens: 118 Flush tables: 1 Open tables: 111 Queries per second avg: 0.036
--------------
