浮雲雅築: [研究] 讓 MySQL Server 5.1.37 和 Client 用 SSL 連線 (Cent OS 6.8 x64)

[研究] 讓 MySQL Server 5.1.37 和 Client 用 SSL 連線 (Cent OS 6.8 x64)

2016-07-22

注意，建立証書/憑證時，Client與Server的Common Name必須與CA証書的Common Name不同才行，否則會失敗。

參考

MariaDB - Secure Connections
https://mariadb.com/kb/en/mariadb/secure-connections/

MySQL 5.7 Reference Manual / 7.4.6.2 Creating SSL Certificates and Keys Using openssl

http://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html

	憑證請求Certificate request	憑證Certificate (Public Key)	私鑰 (Private Key)
CA	--	ca.pem	ca-key.pem
Server	server-req.pem	server-cert.pem	server-key.pem
Client	client-req.pem	client-cert.pem	client-key.pem

安裝 MySQL Server, OpenSSL

[root@localhost ~]# yum -y install mysql-server mysql openssl

[root@localhost ~]# service mysqld restart
[root@localhost ~]# chkconfig mysqld on

如果想變更 root 密碼，可用下面方法

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h localhost.localdomain password 'new-password'

[root@localhost ~]# yum list | grep openssl

openssl.x86_64 1.0.1e-48.el6_8.1 @updates
krb5-pkinit-openssl.x86_64 1.10.3-57.el6 base
openssl.i686 1.0.1e-48.el6_8.1 updates
openssl-devel.i686 1.0.1e-48.el6_8.1 updates
openssl-devel.x86_64 1.0.1e-48.el6_8.1 updates
openssl-perl.x86_64 1.0.1e-48.el6_8.1 updates
openssl-static.x86_64 1.0.1e-48.el6_8.1 updates
openssl098e.i686 0.9.8e-20.el6.centos.1 base
openssl098e.x86_64 0.9.8e-20.el6.centos.1 base
xmlsec1-openssl.i686 1.2.20-4.el6 base
xmlsec1-openssl.x86_64 1.2.20-4.el6 base
xmlsec1-openssl-devel.i686 1.2.20-4.el6 base
xmlsec1-openssl-devel.x86_64 1.2.20-4.el6 base
[root@localhost ~]#

使用的是 OpenSSL 1.0.1e 版

先確認支援 SSL (應該看到類似下面訊息)

[root@localhost ~]# ldd /usr/libexec/mysqld | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f08f2522000)

[root@localhost ~]#

(一) CA 憑證

建立私鑰 ca-key.pem

[root@localhost ~]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
.........+++
..............................................................................................+++
e is 65537 (0x10001)

建立憑證 ca.pem

[root@localhost ~]# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:a

Email Address []:

[root@localhost ~]#

(二) Server 憑證

注意，建立証書時，Client與Server的Common Name必須與CA証書的Common Name不同才行，否則會失敗。

建立私鑰 (server-key.pem) 及申請 (server-req.pem)
問題全部按下 Enter

[root@localhost ~]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
Generating a 2048 bit RSA private key
......+++
.+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:b
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ~]#

建立公鑰 server-key.pem

[root@localhost ~]# openssl rsa -in server-key.pem -out server-key.pem

writing RSA key

建立憑證 server-cert.pem

[root@localhost ~]# openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Signature ok

subject=/C=XX/L=Default City/O=Default Company Ltd

Getting CA Private Key

[root@localhost ~]#

(三) Client 憑證

建立私鑰及申請

[root@localhost ~]# openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem

Generating a 2048 bit RSA private key

....................................+++

....................+++

writing new private key to 'client-key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:c

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@localhost ~]#

建立公鑰

[root@localhost ~]# openssl rsa -in client-key.pem -out client-key.pem
writing RSA key

建立憑證

[root@localhost ~]# openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting CA Private Key
[root@localhost ~]#

[root@localhost ~]# mkdir /etc/newcerts

[root@localhost ~]# cp client-* ca* server*.pem /etc/newcerts/

[root@localhost ~]# ls /etc/newcerts

ca-key.pem client-cert.pem client-req.pem server-key.pem

ca.pem client-key.pem server-cert.pem server-req.pem

********************************************************************************

檢查 MariaDB 目前是否支援SSL

[root@localhost ~]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)

mysql> \q
Bye
[root@localhost ~]#

目前不支援，編輯 /etc/my.cnf

[root@localhost ~]# cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
[root@localhost ~]#

[root@localhost ~]# vi /etc/my.cnf

(Windows 版是 my.ini)

[mysqld] 區域最後加上

ssl-ca=/etc/newcerts/ca.pem

ssl-cert=/etc/newcerts/server-cert.pem

ssl-key=/etc/newcerts/server-key.pem

重新啟動讓 my.cnf 的設定生效

[root@localhost ~]# service mysqld restart

Stopping mysqld: [ OK ]
Starting mysqld: [ OK ]
[root@localhost ~]#

再次檢查

[root@localhost ~]# mysql -e "show variables like '%ssl%';"

+---------------+-------------------------------+

| Variable_name | Value |

+---------------+-------------------------------+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | /etc/newcerts/ca.pem |

| ssl_capath | |

| ssl_cert | /etc/newcerts/server-cert.pem |

| ssl_cipher | |

| ssl_key | /etc/newcerts/server-key.pem |

+---------------+-------------------------------+

現在支援了

測試

接下來測試 MariaDB Server 和 Client 的連線

建立 TestDB 資料庫，TestUser 使用者，密碼為 TestPassword，並強制該使用者連上資料庫必須用 SSL 方式

mysql -e "create database TestDB"

mysql -e "show databases; "

mysql -e "grant all on TestDB.* to TestUser@localhost; "

mysql -e "set password for TestUser@localhost=password('TestPassword'); "

mysql -e "grant all privileges on TestDB.* to TestUser@'%' identified by 'TestPassword' require ssl;"

mysql -e "grant all privileges on TestDB.* to TestUser@localhost identified by 'TestPassword' require ssl;"

mysql -e "flush privileges; "

mysql -e "use mysql; select Host,User, ssl_type from user; "

嘗試直接連線，不用 SSL，結果失敗 (-u 和帳號之間空一格，-p和密碼間不空格)

[root@localhost phpMyAdmin]# mysql -u TestUser -pTestPassword TestDB

ERROR 1045 (28000): Access denied for user 'TestUser'@'localhost' (using password: YES)

[root@localhost phpMyAdmin]#

用 SSL 方式連線，可以連上。

[root@localhost ~]# mysql -u TestUser -pTestPassword TestDB --ssl-key=/etc/newcerts/client-key.pem --ssl-cert=/etc/newcerts/client-cert.pem --ssl-ca=/etc/newcerts/ca.pem
Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 12
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q
Bye
[root@localhost ~]#

上面測試成功了。

建立証書/憑證時，Common Name 相同，會有類似下面錯誤。

[root@localhost phpMyAdmin]# mysql -u TestUser -pTestPassword TestDB --ssl-key=/etc/newcerts/client-key.pem --ssl-cert=/etc/newcerts/client-cert.pem --ssl-ca=/etc/newcerts/ca.pem

ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[root@localhost phpMyAdmin]#

(完)

相關