我的任务是加密对MySQL的所有本地和远程连接,并且必须通过客户端SSL证书验证所有客户端。
但是我甚至无法从shell连接到MySQL并始终获得“用户ssluser@localhost拒绝访问...”
平台:
我已根据this instruction
创建了selft签名的证书# Create CA certificate
# -----------
# CN = localdomain.com
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
# -----------
# CN = cn1.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
# -----------
# CN = cn2.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
我已经创建了用于测试的MySQL DB用户
CREATE USER 'ssl-user'@'%' identified by '123';
GRANT USAGE ON *.* TO 'ssluser'@'%' identified by '123' REQUIRE X509;
FLUSH PRIVILEGES;
编辑my.cnf
[mysqld]
ssl-ca=/etc/pki/mysql_ssl/ca.pem
ssl-cert=/etc/pki/mysql_ssl/server-cert.pem
ssl-key=/etc/pki/mysql_ssl/server-key.pem
[client]
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/client-key.pem
并重新启动mysqld ...
我试图从shell连接
mysql -ussluser -p123123123 --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem
始终获得ssluser@localhost的访问被拒绝(使用密码:是)。
我还试图使用我们购买的WildCard Comodo证书来仅限连接(但不验证客户端)但没有成功。
我有点困惑,因为我知道很多人实际上都在使用MySQL SSL,但我仍然无法让它工作。 任何帮助都会得到很多赞赏。