1. 背景
* 在生产环境下,安全总是无法忽视的问题,数据库安全则是重中之重,因为所有的数据都存放在数据库中
* 当使用非加密方式连接MySQL数据库时,在网络中传输的所有信息都是明文的,可以被网络中所有人截取,敏感信息可能被泄露。在传送敏感信息(如密码)时,可以采用SSL连接的方式。
2. MySQL 连接方式
* socket连接
* TCP非SSL连接
* SSL安全连接
3. SSL 简介
* SSL指的是SSL/TLS,其是一种为了在计算机网络进行安全通信的加密协议。假设用户的传输不是通过SSL的方式,那么其在网络中以明文的方式进行传输,而这给别有用心的人带来了可乘之机。所以,现在很多网站其实默认已经开启了SSL功能,比如Facebook、Twtter、YouTube、淘宝等。
4. 环境 [ 关闭SeLinux ]
* system 环境
[root@MySQL ~]# cat /etc/RedHat-release
CentOS release 6.9 (Final)
[root@MySQL ~]# uname -r
2.6.32-696.3.2.el6.x86_64
[root@MySQL ~]# getenforce
Disabled
* MySQL 环境 [ MySQL 5.6安装前面篇章已做详细介绍 ]
have_openssl 与 have_ssl 值都为DISABLED表示ssl未开启
[root@MySQL mysql]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.6.36 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.6.36 |
+-----------+
1 row in set (0.00 sec)
mysql> show variables like 'have%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
+---------------+----------+
2 rows in set (0.00 sec)
mysql> show variables like 'port';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| port | 3306 |
+---------------+-------+
1 row in set (0.00 sec)
mysql> show variables like 'datadir';
+---------------+-------------------+
| Variable_name | Value |
+---------------+-------------------+
| datadir | /data/mysql_data/ |
+---------------+-------------------+
1 row in set (0.00 sec)
5. 通过openssl 制作生成 SSL 证书
* 生成一个 CA 私钥
[root@MySQL ~]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
....................+++
e is 65537 (0x10001)
* 通过 CA 私钥生成数字证书
[root@MySQL ~]# openssl req -new -x509 -nodes -days 3600 \
> -key ca-key.pem -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
* 创建 MySQL 服务器 私钥和请求证书
[root@MySQL ~]# openssl req -newkey rsa:2048 -days 3600 \
> -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
.................................+++
.......................................................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
* 将生成的私钥转换为 RSA 私钥文件格式
[root@MySQL ~]# openssl rsa -in server-key.pem -out server-key.pem
writing RSA key