如何知道与数据库的连接是否使用SSL

时间:2016-05-19 07:58:50

标签: php mysql ssl mysqli

我在PHP上使用mysqli连接到mysql数据库。数据库与ssl都没有打开连接。 我已经制作了这段代码:

$db = mysqli_init();
$db->ssl_set(NULL, NULL,'rds-combined-ca-bundle.pem',NULL,NULL);
$db->real_connect($hostname,$username,$password,$database);
$res = $db->query('SHOW TABLES;');
print_r ($res);
$db->close();

我得到的输出非常好,我得到了我想要的东西,但我不明白我的连接是否与SSL结合。 如果我将证书名称更改为xyzrds-combined-ca-bundle.pem,它会继续正常工作...所以我猜它只是在证书失败时打开no-ssl。

有关我如何知道我是否与SSL连接的任何线索?

非常感谢

分辨

检查它的PHP代码如下:

$db = mysqli_init();
$db->ssl_set(NULL, NULL,'rds-combined-ca-bundle.pem',NULL,NULL);
$db->real_connect($hostname,$username,$password,$database);
$res = $db->query("SHOW STATUS LIKE 'Ssl_cipher';");
while ( $row = $res->fetch_array() ) {
    print_r($row);
}
$db->close();

结果

如果正确使用证书:

Array
(
    [0] => Ssl_cipher
    [Variable_name] => Ssl_cipher
    [1] => AES256-SHA
    [Value] => AES256-SHA
)

如果您删除或遗漏证书,您将获得:

Array
(
    [0] => Ssl_cipher
    [Variable_name] => Ssl_cipher
    [1] =>
    [Value] =>
)

3 个答案:

答案 0 :(得分:2)

基于this answer,这是一个快速代码,用于检查您的连接是否基于SSL:

$res = $mysqli->query("SHOW STATUS LIKE 'Ssl_cipher'");
$row = $res->fetch_assoc();
if(empty($row['value']))
{
    echo 'No SSL';
}

答案 1 :(得分:0)

您可以为每个客户端配置SSL,这样您就可以同时拥有SSL和NON SSL连接。

您可以通过发送以下命令来配置SSL:mysql> show variables like '%ssl%';

输出应如下所示:

+---------------+----------------------------------+
| Variable_name | Value                            |
+---------------+----------------------------------+
| have_openssl  | YES                              |
| have_ssl      | YES                              |
| ssl_ca        | /etc/mysql/ca-cert.pem           |
| ssl_capath    |                                  |
| ssl_cert      | /etc/mysql/server-cert.pem       |
| ssl_cipher    |                                  |
| ssl_key       | /etc/mysql/server-key.pem        |
+---------------+----------------------------------+

您可以为mYSQL用户设置以下配置:

REQUIRE X509:必须使用有效的SSL证书

REQUIRE ISSUER / REQUIRE SUBJECT:必须使用具有特定ISSUER和/或SUBJECT的SSL证书

REQUIRE SSL:强制连接使用SSL,可以通过密码或有效的SSL证书进行身份验证

使用以下comamnd,您可以检查已连接客户端的状态:

mysql> SHOW STATUS LIKE 'Ssl_cipher';

输出应如下所示:

+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA | 
+---------------+--------------------+

答案 2 :(得分:0)

如果您使用的是MySQL 5.7.5或更高版本,则可以use perfomance_schema

SELECT sbt.variable_value AS tls_version,  t2.variable_value AS cipher, 
         processlist_user AS user, processlist_host AS host 
FROM performance_schema.status_by_thread  AS sbt 
   JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id 
   JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id 
WHERE sbt.variable_name = 'Ssl_version' AND t2.variable_name = 'Ssl_cipher' 
ORDER BY tls_version

收益

+-------------+--------------------+------+---------------+
| tls_version | cipher             | user | host          |
+-------------+--------------------+------+---------------+
| TLSv1.1     | DHE-RSA-AES256-SHA | root | 192.168.1.100 |
+-------------+--------------------+------+---------------+