如何通过 SSL 连接到 Amazon RDS? [英] How to connect to Amazon RDS via SSL?
问题描述
我正在尝试与通过 Amazon RDS 托管的 MySQL 数据库建立 SSL 连接.我对如何连接感到困惑.
I'm trying to set up an SSL connection to a MySQL database hosted via Amazon RDS. I'm confused as to how to connect.
根据亚马逊的文档,我需要下载名为rds-ca-2015-root.pem"的 CA 证书并在我的 SSL 连接中使用它.我将要连接的数据库用户设置为需要 SSL.
According to Amazon's documentation, I need to download a CA certificate called "rds-ca-2015-root.pem" and use it in my SSL connection. I set the database user that I am connecting with to require SSL.
在 PHP 中,我包含以下代码来启动连接:
In PHP, I include the code below to initiate the connection:
$mysqli = mysqli_init();
mysqli_options($mysqli, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$mysqli->ssl_set(NULL, NULL, "/path/to/pem", NULL, NULL);
$mysqli->real_connect("host", "username", "password", "name", 3306, NULL, MYSQLI_CLIENT_SSL);
但是,无论我在ssl_set()中指定哪个路径作为第三个参数(即使路径无效),SSL连接都成功建立.第三个参数不能设置为NULL.
我通过运行以下查询来验证这一点:SHOW STATUS LIKE 'Ssl_cipher';
.输出验证连接是否已加密(Ssl_cipher => AES256-SHA).
I verify this by running this query: SHOW STATUS LIKE 'Ssl_cipher';
. The output verifies that the connection is encrypted (Ssl_cipher => AES256-SHA).
有人可以向我解释这是如何工作的吗?我很困惑,当路径不正确时,连接为什么会继续成功工作.RDS服务器是如何验证的?
Could someone please explain to me how this works? I am confused as to why the connection continues to work successfully when the path is incorrect. How is the RDS server being verified?
推荐答案
尽我所知 - 如果您要求或需要与 RDS MySQL 的 SSL 连接,您将获得一个 - 无论证书的本地副本是否为有效或可读.
As best I can tell - if you ask for or require an SSL connection to RDS MySQL you will get one - regardless of whether the local copy of the certificate is valid or readable.
我在 Drupal 中使用以下配置,无论我在证书路径中的位置或内容,我都会获得 SSL 连接:
I am using the following config in Drupal and regardless of where or what I put in the cert path I get an SSL connection:
$databases['default']['default'] = [
'database' => 'drupal_db',
'username' => 'db_user',
'password' => 'db_password',
'host' => 'hostname',
'port' => '3306',
'driver' => 'mysql',
'prefix' => '',
'pdo' => array(
PDO::MYSQL_ATTR_SSL_CA => '/etc/ssl/certs/rds-combined-ca-bundle.pem',
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
),
];
但是,如果我将 MYSQL_ATTR_SSL_VERIFY_SERVER_CERT 值设置为false"我收到连接错误并且 Drupal 失败.到目前为止,我还没有找到任何解释为什么这不会验证证书和/或如何使其成功验证!
However, if I set the MYSQL_ATTR_SSL_VERIFY_SERVER_CERT value to "false" I get a connection error and Drupal fails. So far I have not been able to find any explanation of why this won't validate the certificate an/or how to make it successfully do so!
这篇关于如何通过 SSL 连接到 Amazon RDS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!