MYSQL远程连接需要SSL [英] MYSQL remote connection require SSL
问题描述
我正在尝试为自己清除一些信息,这些信息涉及到MYSQL的远程SSL连接.特别是,一旦我将MYSQL设置为启用SSL并有一个需要SSL的远程用户.
I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.
这是我与需要SSL的用户远程连接(命令行)到MYSQL的方式:
This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca/path/to/ca.pem
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem
我的问题是:为什么我必须提供ca.pem文件作为客户端?
My question is: Why do I have to provide the ca.pem file as the client?
这些是我在服务器上安装mysql并设置远程访问(Ubuntu)所采取的步骤:
These are the steps I took to install mysql on the server and setup remote access (Ubuntu):
1)获取我的证书颁发机构证书,数据库证书,数据库密钥
1) Obtain my Certificate Authority cert, Database cert, Database key
- ca.pem(证书颁发机构证书)
- dbcert.pem(数据库证书)
- dbkey.pem(数据库密钥)
2)在[mysqld]
2) Add the following lines to /etc/mysql/my.cnf under [mysqld]
ssl-ca =/path/to/ca.pem
ssl-cert =/path/to/dbcert.pem
ssl-key =/path/to/dbkey.pem
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem
3)重新启动mysql并通过登录并键入以下命令来确认已启用ssl:
3) Restart mysql and confirm ssl enabled by logging in and typing following:
显示类似'%ssl%'的变量;
show variables like '%ssl%';
1)在/etc/mysql/my.cnf
#bind-address
#skip-networking
#bind-address
#skip-networking
2)登录mysql并授予用户访问权限,在这种情况下,将访问每个数据库
2) Login to mysql and grant a user access to, in this case, every database
在.上将所有特权授予用户名" @%"(由密码"识别)需要SSL
GRANT ALL PRIVILEGES ON . to 'USERNAME'@'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL
这时,我已经设置了MYSQL以启用SSL&&我有一个需要SSL登录的远程用户.我可以在远程命令行上登录,但是我需要指定--ssl-ca.
At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.
为什么我必须从客户端提供ssl-ca?有没有办法做到这一点,而不必这样做?
我真的很感谢您的一些见解.
I would really appreciate some insight here.
谢谢.
推荐答案
与典型的Web浏览器不同,像mysql
这样的命令行工具没有内置的证书颁发机构列表.浏览器带有内置的证书颁发机构列表,您可以隐式地信任它们(无论您是否知道).
Unlike your typical web browser, a commandline tool like mysql
doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).
使用mysql
登录到支持加密的MySQL服务器时,该服务器将向您提供证书的公共部分.要完成安全握手,您的客户端需要验证服务器证书是否由受信任的证书颁发机构签名.否则,它将不得不说:嘿,这看起来像是格式正确的证书,但我从未听说过ca对其进行签名."
When you use mysql
to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."
对于Hibernate/JDBC/TLS,一些搜索引擎的工作会提出一些有用的建议.这一切都是关于在配置中设置正确的属性.
For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.
http://razorsql.com/articles/mysql_ssl_jdbc.html
如何可以将Hibernate配置为使用SSL与数据库服务器通信吗?
这篇关于MYSQL远程连接需要SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!