devbox
小舞很执着
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

MySQL数据库SSL连接测试_mysql ssl

作者:小舞很执着 | 2024-07-20 03:06:18

mysql ssl

环境信息:Centos7 + MySQL 5.7.21

在该环境上进行SSL连接测试。

MySQL Server 配置:

vi /etc/my.cnf

  1. [mysql]
  2. default-character-set = utf8mb4
  3.  
  4. [client]
  5. default-character-set = utf8mb4
  6.  
  7. # ssl_mode = [ DISABLED | PREFERRED(default if not set) | REQUIRED | VERIFY_CA | VERIFY_IDENTITY ]
  8. # ssl_mode 为客户端可选参数,如果客户端连接时指定了则生效的是客户端连接时指定的参数,如果客户端连接未指定则使用服务端的[client]中的配置参数,如果未配置默认为PREFRED。
  9. #   DISABLED: 非SSL连接。
  10. #   PREFERRED: SSL/no-ssl。如果不配置、默认就是该行为。先尝试SSL连接、如果失败则尝试非SSL连接。
  11. #   REQUIRED: SSL连接。仅尝试SSL连接,SSL连接失败则失败、不会尝试非SSL连接。
  12. #   VERIFY_CA: SSL连接,双向认证。校验ca证书、但不校验证书中的server host name。
  13. #   VERIFY_IDENTITY: SSL连接,双向认证。校验ca证书、同时校验证书中的server host name。
  14. #ssl_mode = PREFERRED
  15. ssl_mode = VERIFY_CA
  16.  
  17. [mysqld]
  18.  
  19. datadir=/var/lib/mysql
  20. socket=/var/lib/mysql/mysql.sock
  21.  
  22. validate_password=off
  23.  
  24. # for ssl enable
  25. # 服务器端配置强制SSL连接、禁止非SSL连接
  26. require_secure_transport = ON
  27. # 下面3个参数如果不配置或者值配置成ca.pem, server-cert.pem, server-key.pem,不加路径,则MySQL默认行为是读取数据目录下的三个文件
  28. ssl-ca=/var/lib/mysql/ca.pem
  29. ssl-cert=/var/lib/mysql/server-cert.pem
  30. ssl-key=/var/lib/mysql/server-key.pem
  31.  
  32. #for mysqlbinlog enable
  33. server-id=1
  34. log-bin=/var/lib/mysql/mysql-bin
  35. binlog_format=row
  36. expire_logs_days=15
  37. max_binlog_size=500m
  38.  
  39. #utf8mb4
  40. character-set-client-handshake=false
  41. character-set-server=utf8mb4
  42. collation-server=utf8mb4_unicode_ci
  43. init_connect='SET NAMES utf8mb4'
  44.  
  45. # for blob input, default value is 4194304 (4M) if not set
  46. #max_allowed_packet = 100M
  47.  
  48. # for other performance settings
  49. max_connections = 2000
  50. max_connect_errors = 500
  51. back_log = 1000
  52. thread_cache_size = 64
  53. table_open_cache_instances = 500
  54. ###show global status like '%open%table%'; Open_tables / Opened_tables 85%~95%
  55. table_open_cache = 10000
  56. table_definition_cache = 2000
  57. innodb_thread_concurrency = 0
  58. max_tmp_tables = 100
  59.  
  60. ## common sql commands
  61. ## -- show engine innodb status \G;
  62. ## -- show global variables like '%thread%';
  63. ## -- show global status like '%thread%';
  64. ## -- show global status like '%open%table%';
  65. ## -- show variables like '%table%';
  66.  
  67. # Disablinr symbolic-links is recommended to prevent assorted security risks
  68. symbolic-links=0
  69.  
  70. log-error=/var/log/mysqld.log
  71. pid-file=/var/run/mysqld/mysqld.pid

编写测试脚本:

vi cmd.sh

  1. #!/bin/sh
  2.  
  3. # ssl-test-qftools
  4.  
  5. SQL_SSL="
  6. # check if server start with --ssl:\n
  7. # -- show variables like '%have_ssl%';\n
  8. \n
  9. # check if server force accpet ssl session request ( deny no-ssl requests ):\n
  10. # -- show variables like 'require_secure_transport';\n
  11. \n
  12. # client connected and check current session ssl status:\n
  13. # -- show session status like 'Ssl_cipher';\n
  14. \n
  15. # check ssl configs:\n
  16. # -- show variables like '%ssl%';\n
  17. "
  18. # java keystore.jks generate cmd: keytool -importcert -trustcacerts -file ca.pem -keystore keystore216.jks -storepass 1q2w3e
  19.  
  20. HOST=192.168.1.216
  21. PORT=3306
  22. USER=root
  23. DIR=./ssl_1.216
  24.  
  25. # for MySQL old Versin
  26. #$SSLOPT=--ssl
  27. #$SSLOPT="--ssl --ssl-verify-server-cert"
  28.  
  29. # for MySQL new Version
  30. SSLOPT_DISABLED="--ssl-mode=DISABLED"
  31. SSLOPT_PREFERRED="--ssl-mode=PREFERRED"
  32. SSLOPT_REQUIRED="--ssl-mode=REQUIRED"
  33. # ssl && also perform verification against the server CA certificate but no against the server host name in its certificate.
  34. SSLOPT_CA="--ssl-mode=VERIFY_CA"
  35. # ssl && also perform verification against the server CA certificate and (with VERIFY_IDENTITY) against the server host name in its certificate.
  36. SSLOPT_IDENTITY="--ssl-mode=VERIFY_IDENTITY"
  37.  
  38. CA=$DIR/ca.pem
  39. CERT=$DIR/client-cert.pem
  40. KEY=$DIR/client-key.pem
  41.  
  42.  
  43. # 客户端连接时不指定相关参数、由服务器配置决定最终行为
  44. CMD0="mysql -h$HOST -P$PORT -u$USER -p "
  45. # 客户端连接指定配置
  46. # no-ssl
  47. CMD1="mysql -h$HOST -P$PORT -u$USER -p $SSLOPT_DISABLED"
  48. # ssl/no-ssl 先尝试SSL连接、如果失败则尝试非SSL连接
  49. CMD2="mysql -h$HOST -P$PORT -u$USER -p $SSLOPT_PREFERRED"
  50. # ssl单向,SSL连接失败则失败、不会尝试非SSL连接
  51. CMD3="mysql -h$HOST -P$PORT -u$USER -p $SSLOPT_REQUIRED"
  52. # ssl单向、虽然多余传ca证书、客户端证书和秘钥(实际上无需传),实际效果还是单向。MySQL Server my.cnf [client] 中如果配置为 ssl_mode = VERIFY_CA ,连接时客户端如果指定ssl_mode参数则会覆盖,以客户端配置优先
  53. CMD4="mysql -h$HOST -P$PORT -u$USER -p $SSLOPT_REQUIRED --ssl-ca=$CA  --ssl-cert=$CERT --ssl-key=$KEY"
  54. # ssl双向认证,不验证hostname
  55. CMD5="mysql -h$HOST -P$PORT -u$USER -p $SSLOPT_CA --ssl-ca=$CA  --ssl-cert=$CERT --ssl-key=$KEY"
  56. # ssl双向认证 && 验证hostname
  57. CMD6="mysql -h$HOST -P$PORT -u$USER -p $SSLOPT_IDENTITY --ssl-ca=$CA  --ssl-cert=$CERT --ssl-key=$KEY"
  58.  
  59.  
  60. if [ ! $# -eq 1 ] || [ "$1" == "-h" ];then
  61.   echo ""
  62.   echo "Please user: $0 {type}"
  63.   echo "  type: 0 | 1 | 2 | 3 | 4 | 5 | 6"
  64.   echo "  type 0 for run: $CMD0"
  65.   echo "  type 1 for run: $CMD1"
  66.   echo "  type 2 for run: $CMD2"
  67.   echo "  type 3 for run: $CMD3"
  68.   echo "  type 4 for run: $CMD4"
  69.   echo "  type 5 for run: $CMD5"
  70.   echo "  type 6 for run: $CMD6"
  71.   echo -e "\n---------------------\n"
  72.   echo "About sql for show ssl infos after mysql connected: "
  73.   echo -e $SQL_SSL
  74.   exit
  75. fi
  76.  
  77.  
  78. inputType=$1
  79. if [ -z inputType ];then
  80.   inputType=1
  81. fi
  82.  
  83. echo "inputType = $inputType"
  84.  
  85. if [ $inputType -eq 0 ];then
  86.   echo $CMD0
  87.   $CMD0
  88. elif [ $inputType -eq 1 ];then
  89.   echo $CMD1
  90.   $CMD1
  91. elif [ $inputType -eq 2 ];then
  92.   echo $CMD2
  93.   $CMD2
  94. elif [ $inputType -eq 3 ];then
  95.   echo $CMD3
  96.   $CMD3
  97. elif [ $inputType -eq 4 ];then
  98.   echo $CMD4
  99.   $CMD4
  100. elif [ $inputType -eq 5 ];then
  101.   echo $CMD5
  102.   $CMD5
  103. elif [ $inputType -eq 6 ];then
  104.   echo $CMD6
  105.   $CMD6
  106. else
  107.   echo "ERROR: inputType unsupport!"
  108.   exit
  109. fi

从MySQL Server服务器拷贝证书和Key到客户端机器上,然后客户端机器上执行相关测试:
[root@localhost ssl_test]# ls -l
total 4
-rwxr--r-- 1 root root 3165 Apr 25 01:40 cmd.sh
drwxr-xr-x 2 root root   62 Apr 24 21:45 ssl_1.216
[root@localhost ssl_test]# ls -l ssl_1.216/
total 12
-rw-r--r-- 1 root root 1107 Apr 24 21:45 ca.pem
-rw-r--r-- 1 root root 1107 Apr 24 21:45 client-cert.pem
-rw------- 1 root root 1679 Apr 24 21:45 client-key.pem


SSL连接测试失败的情况:
./cmd.sh 0
./cmd.sh 1
./cmd.sh 6

SSL连接失败的执行详细信息:
[root@localhost ssl_test]# ./cmd.sh 0
inputType = 0
mysql -h192.168.1.216 -P3306 -uroot -p
Enter password: 
ERROR 2026 (HY000): SSL connection error: CA certificate is required if ssl-mode is VERIFY_CA or VERIFY_IDENTITY
[root@localhost ssl_test]# 

[root@localhost ssl_test]# ./cmd.sh 1
inputType = 1
mysql -h192.168.1.216 -P3306 -uroot -p --ssl-mode=DISABLED
Enter password: 
ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.
[root@localhost ssl_test]# 

[root@localhost ssl_test]# ./cmd.sh 6
inputType = 6
mysql -h192.168.1.216 -P3306 -uroot -p --ssl-mode=VERIFY_IDENTITY --ssl-ca=./ssl_1.216/ca.pem --ssl-cert=./ssl_1.216/client-cert.pem --ssl-key=./ssl_1.216/client-key.pem
Enter password: 
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
[root@localhost ssl_test]# 

SSL连接测试成功的情况:
./cmd.sh 2
./cmd.sh 3
./cmd.sh 4
./cmd.sh 5
 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小舞很执着/article/detail/854859
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号