mysql配置SSL證書登錄的實現(xiàn)

更新時間：2021年09月03日 10:37:58 作者：瀟雷

應(yīng)國家等級保護三級安全要求，mysql 的 ssl 需要安全證書加密，本文主要介紹了mysql配置SSL證書登錄，感興趣的可以了解一下

前言

國家等級保護三級安全要求，mysql 的 ssl 需要安全證書加密，這里需要研究一下,選幾個賬戶演示下即可。mysql 的版本為 8.0.20

一、Mysql 啟用 SSL 配置

1.1 檢查是否開啟 ssl

mysql> show variables like '%ssl%';
+--------------------+-----------------+
| Variable_name      | Value           |
+--------------------+-----------------+
| have_openssl       | YES             |  
| have_ssl           | YES             |  # 已開啟ssl
| mysqlx_ssl_ca      |                 |
| mysqlx_ssl_capath  |                 |
| mysqlx_ssl_cert    |                 |
| mysqlx_ssl_cipher  |                 |
| mysqlx_ssl_crl     |                 |
| mysqlx_ssl_crlpath |                 |
| mysqlx_ssl_key     |                 |
| ssl_ca             | ca.pem          |
| ssl_capath         |                 |
| ssl_cert           | server-cert.pem |
| ssl_cipher         |                 |
| ssl_crl            |                 |
| ssl_crlpath        |                 |
| ssl_fips_mode      | OFF             |
| ssl_key            | server-key.pem  |
+--------------------+-----------------+
17 rows in set (0.56 sec)

1.2 設(shè)置用戶是否使用 SSL 連接

mysql> select ssl_type from user where user = 'dev_fqr' ;
+----------+
| ssl_type |
+----------+
|          |
+----------+
1 row in set (0.05 sec)

默認(rèn)用戶是沒有使用 SSL 登錄的。
我們可以強制這個管理用戶使用 SSL 登錄。

alter user 'xxx'@'%' require ssl;
取消ssl驗證:
alter user 'xxx'@'%' require none;

更改后，該賬戶就無法登錄了,查看狀態(tài)變成下面這種

mysql> select ssl_type from user where user = 'dev_fqr' ;
+----------+
| ssl_type |
+----------+
| ANY      |
+----------+
1 row in set (0.01 sec)

測試登錄，本機無法直接登錄。

[root@localhost data]# mysql -u dev_fqr -p
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it

遠(yuǎn)程客戶端無法直接登錄：

1.3 使用 SSL 登錄

要想通過 SSL 登錄，就需要用到下面這幾個證書，通過 client 證書與 server 端進(jìn)行校驗通過才能登錄成功。

1）本機登錄

在 data 目錄下的三個文件證書登錄。

[root@localhost data]# mysql -udev_fqr -pDev@fqr2021 --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl connection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql>

2）navicate 遠(yuǎn)程客戶端登錄

把這三個證書下載下來