我已经在这上面敲了几天,我真的在绳子的尽头...
我试图在ubuntu 14.04上运行的MySQL 5.7.10上设置SSL连接,无论我做什么,在尝试连接时,始终拒绝使用SSL的用户拒绝访问。
我能够在Windows(我们的开发机器)上轻松设置SSL,但是因为我的爱不能让它在Linux上运行。
我尝试使用安装MySQL时提供的证书(位于/ var / lib / mysql目录中)。我还尝试使用this procedure生成新的。我甚至尝试导入我在Windows上使用MySQL Workbench生成的证书(实际上在Windows上工作的证书),但没有任何作用。
启动MySQL时,SSL似乎没问题,因为我只能在/var/log/mysql/err.log中找到它
2015-12-17T18:25:32.687582Z 0 [Warning] CA certificate /var/lib/mysql/ca.pem is self signed.
MySQL中的SSL已启用
mysql> SHOW VARIABLES LIKE '%SSL%';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
我已将路径放到/etc/mysql/my.cnf中的服务器和客户端证书
[client]
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
[mysqld]
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
我甚至试图禁用appArmor for mysql以防万一,我尝试连接需要ssl的测试用户时得到sema结果:
CREATE USER 'test'@'localhost' IDENTIFIED BY 'test';
GRANT USAGE ON *.* TO 'test'@'localhost' REQUIRE ssl;
FLUSH PRIVILEGES;
尝试连接时:
> /usr/bin$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
手动指定客户端证书时也是如此:
> mysql --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --host=localhost --user=test --password
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
有人有任何想法吗?我不明白为什么在windows上工作正常的setuyp会让我对linux感到悲伤。
有没有办法进一步调试?
Thansk提前 / Sebas
答案 0 :(得分:0)
我的测试:
error.log中:
[Warning] CA certificate ca.pem is self signed.
$ sudo mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT VERSION(); -- MySQL Community Server
+-----------+
| VERSION() |
+-----------+
| 5.7.10 |
+-----------+
1 row in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.00 sec)
mysql> CREATE USER 'test'@'localhost' IDENTIFIED BY 'test' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
$ mysql -u test -p --ssl
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> SHOW SESSION STATUS LIKE '%Ssl_version%';
+---------------+---------+
| Variable_name | Value |
+---------------+---------+
| Ssl_version | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)
更新:测试详情。
mysqld.cnf:
[client]
...
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
[mysqld]
...
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
是的,证书是由MySQL自动生成的。见6.3.13 Creating SSL and RSA Certificates and Keys。检查安全权限以访问证书。
error.log中:
[Warning] CA certificate /var/lib/mysql/ca.pem is self signed.
$ sudo mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT VERSION(); -- MySQL Community Server
+-----------+
| VERSION() |
+-----------+
| 5.7.10 |
+-----------+
1 row in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
9 rows in set (0,01 sec)
mysql> CREATE USER 'test'@'localhost' IDENTIFIED BY 'test' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
$ mysql -u test -p --ssl
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.10 MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> SHOW SESSION STATUS LIKE '%Ssl_version%';
+---------------+---------+
| Variable_name | Value |
+---------------+---------+
| Ssl_version | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)