我是一名unix新手,正在使用RHEL 7.2上的MariaDB Enterprise服务器,并通过RHEL 7.2客户端连接到它。我使用this guide创建了服务器和客户端所需的所有证书和密钥,这里是my.cnf的样子:
string(isExist)我停止了mysql服务并启动它:
# Example mysql config file.
# You can copy this to one of:
# /etc/my.cnf to set global options,
# /mysql-data-dir/my.cnf to get server specific options or
# ~/my.cnf for user specific options.
#
# One can use all long options that the program supports.
# Run the program with --help to get a list of available options
# This will be passed to all mysql clients
[client]
#password=my_password
#port=3306
#socket=/tmp/mysql.sock
#datadir=/var/lib/mysql
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# The MySQL server
[mysqld]
#port=3306
#socket=/var/lib/mysql/mysql.sock
temp-pool
# The following three entries caused mysqld 10.0.1-MariaDB (and possibly other versions) to abort...
# skip-locking
# set-variable = key_buffer=16M
# set-variable = thread_cache=4
loose-innodb_data_file_path = ibdata1:1000M
loose-mutex-deadlock-detector
gdb
######### Fix the two following paths
# Where you want to have your database
data=/var/lib/mysql
# Where you have your mysql/MariaDB source + sql/share/english
#language=/path/to/src/dir/sql/share/english
#language=/usr/local/mysql/share
[mysqldump]
quick
set-variable = max_allowed_packet=16M
[mysql]
no-auto-rehash
[myisamchk]
set-variable= key_buffer=128M
[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem
bind-address=*
socket=/var/lib/mysql/mysql.sock
datadir=/var/lib/mysql
user=mysql
bind-address=*
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
但是,当我尝试检查SSL是否已启用时,我总是看到:
service mysql start --ssl-ca=ca-cert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem
我创建的需要ssl的用户被拒绝访问。
根据我查找的所有网站,它应该足以用这些ssl细节启动mysql服务,或者仅仅是ssl键,但没有任何效果。
我该怎么办?
答案 0 :(得分:1)
您确定每个用户都对您的凭据文件具有读取权限吗?
如果没有,chmod ugo+r /etc/mysql-ssl/*可能会有帮助。
答案 1 :(得分:1)
我已就这个问题做了自己的研究,我很惊讶。
在Fedora中启用对MariaDB的ssl支持的选项不仅被禁用,而且被削弱和混淆,完全排除了启用它的可能性,同时允许Fedora维护者拒绝他们完全缺乏支持它
请仔细注意“/usr/lib/systemd/system/mariadb.service”中的这个片段
# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf
# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# per bug #547485
ExecStart=/usr/libexec/mysqld --basedir=/usr $MYSQLD_OPTS $_WSREP_NEW_CLUSTER
特别是所有CAPS中的攻击性语言“MY_SPECIAL.conf”,以及当Fedora系统放置在记录位置时,显然故意拒绝Fedora的系统读取该配置文件。
“SELinux警报”显然是由MariaDB本身的许多零日,错误,cves和安全问题引发的(很多时候,毫无疑问是从MySQL继承而来),这可能使得不值得花时间或精力或虚假启用SSL的安全感。