- 1Git 基础教程 - IDEA中的使用详解_idea 登录git
- 2在Ubuntu上安装福昕foxit阅读器
- 3【JavaSE】图书管理系统
- 4详解Spring中的Profile_spring profile
- 5阿里Qwen2:新一代开源LLMs的五大亮点_阿里 qwen 2
- 6Qt 5.14.2揭秘高效开发:如何用VS2022快速部署Qt 5.14.2,打造无与伦比的Windows应用_vs2022 qt
- 7指示学习(Instruct Learning)和提示(Prompt Learning)学习_提示学习与指令学习
- 8国内下载huggingface模型的几种方式_huggingface hosts
- 9S5730举例
- 102023最新SSM计算机毕业设计选题大全(附源码+LW)之java美妆商城系统l5y41_基于java的美妆推荐系统
mysql远程连接条件_MYSQL远程连接需要SSL
赞
踩
I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.
This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem
My question is: Why do I have to provide the ca.pem file as the client?
These are the steps I took to install mysql on the server and setup remote access (Ubuntu):
Steps to Enable SSL for MYSQL
1) Obtain my Certificate Authority cert, Database cert, Database key
ca.pem (Certificate Authority cert)
dbcert.pem (Database cert)
dbkey.pem (Databse key)
2) Add the following lines to /etc/mysql/my.cnf under [mysqld]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem
3) Restart mysql and confirm ssl enabled by logging in and typing following:
show variables like '%ssl%';
Configure Remote Connection Requiring SSL
1) Comment out the following lines in /etc/mysql/my.cnf
#bind-address
#skip-networking
2) Login to mysql and grant a user access to, in this case, every database
GRANT ALL PRIVILEGES ON . to 'USERNAME'@'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL
At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.
Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?
I would really appreciate some insight here.
Thanks in advance.
解决方案
Unlike your typical web browser, a commandline tool like mysql doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).
When you use mysql to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."
For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.
