Home > Developer > MySQL

SSL encryption method for MySQL 5.7

Source: Internet
Author: User
Tags openssl openssl version
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

SSL encryption method for MySQL 5.7



MySQL 5.7.6 or later

(1) Create a certificate to turn on SSL authentication
--Installing OpenSSL
Yum Install-y OpenSSL
OpenSSL version
OpenSSL 1.0.1e-fips 2013

--Installation Certificate
/usr/local/mysql/bin/mysql_ssl_rsa_setup--datadir=/data/mysql/mysql3306/data


--Modify Permissions
Chown-r Mysql:mysql/data/mysql/mysql3306/data


Pwd
/data/mysql/mysql3306/data
[Email protected]_45_133_centos Wed June 10:51:22 data]# ll
Total 1024072
-rw-r-----1 mysql mysql, 17:56 auto.cnf
-RW-------1 root root 1679 June 10:48 Ca-key.pem
-rw-r--r--1 root root 1074 June 10:48 Ca.pem
-rw-r--r--1 root root 1078 June 10:48 Client-cert.pem
-RW-------1 root root 1679 June 10:48 Client-key.pem
-rw-r-----1 mysql mysql 672 June 10:47 Ib_buffer_pool
-rw-r-----1 mysql mysql 1048576000 June 10:47 ibdata1
Drwxr-x---2 mysql mysql 4096 June 17:57 MySQL
Drwxr-x---2 mysql mysql 4096 June 17:57 Performance_schema
-RW-------1 root root 1679 June 10:48 Private_key.pem
-rw-r--r--1 root root 451 June 10:48 Public_key.pem
Drwxr-x---2 mysql mysql 4096 June 10:48 School
-rw-r--r--1 root root 1078 June 10:48 Server-cert.pem
-RW-------1 root root 1675 June 10:48 Server-key.pem
Drwxr-x---2 mysql mysql 12288 June 17:57 Sys
-rw-r-----1 mysql mysql 418 June 14:14 Vm_45_133_centos.log

Certificate required for client connection, of course, no certificate is allowed
-rw-r--r--1 root root 1074 June 10:48 Ca.pem
-rw-r--r--1 root root 1078 June 10:48 Client-cert.pem
-RW-------1 root root 1679 June 10:48 Client-key.pem
-RW-------1 root root 1679 June 10:48 Private_key.pem

Certificates on the server
-rw-r--r--1 root root 1074 June 10:48 Ca.pem
-RW-------1 root root 1679 June 10:48 Ca-key.pem
-rw-r--r--1 root root 451 June 10:48 Public_key.pem
-rw-r--r--1 root root 1078 June 10:48 Server-cert.pem
-RW-------1 root root 1675 June 10:48 Server-key.pem

--Modify MY.CNF
######## #SSL #############
Ssl-ca =/data/mysql/mysql3306/data/ca.pem
Ssl-cert =/data/mysql/mysql3306/data/server-cert.pem
Ssl-key =/data/mysql/mysql3306/data/server-key.pem



(2) Restart MySQL
/etc/init.d/mysql stop
/etc/init.d/mysql start



--View SSL parameter status, view Have_ssl, yes, this means that SSL is already supported
Show global variables like '%ssl% ';
+---------------+--------------------------------------------+
| variable_name | Value |
+---------------+--------------------------------------------+
| Have_openssl | YES |
| Have_ssl | YES |
| Ssl_ca | /data/mysql/mysql3306/data/ca.pem |
|                                            Ssl_capath | |
| Ssl_cert | /data/mysql/mysql3306/data/server-cert.pem |
|                                            Ssl_cipher | |
|                                            SSL_CRL | |
|                                            Ssl_crlpath | |
| Ssl_key | /data/mysql/mysql3306/data/server-key.pem |
+---------------+--------------------------------------------+



Show global status like '%ssl% ';
+--------------------------------+--------------------------+
| variable_name | Value |
+--------------------------------+--------------------------+
| Com_show_processlist | 0 |
| Ssl_accept_renegotiates | 0 |
| ssl_accepts | 0 |
| Ssl_callback_cache_hits | 0 |
|                          Ssl_cipher | |
|                          Ssl_cipher_list | |
| ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| ssl_ctx_verify_depth | 0 |
| Ssl_ctx_verify_mode | 0 |
| Ssl_default_timeout | 0 |
| ssl_finished_accepts | 0 |
| ssl_finished_connects | 0 |
| Ssl_server_not_after | June 02:48:05 2027 GMT |
| Ssl_server_not_before | June 02:48:05 GMT |
| Ssl_session_cache_hits | 0 |
| ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | Unknown |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 0 |
| ssl_session_cache_timeouts | 0 |
| ssl_sessions_reused | 0 |
| ssl_used_session_cache_entries | 0 |
| ssl_verify_depth | 0 |
| Ssl_verify_mode | 0 |
|                          ssl_version | |
+--------------------------------+--------------------------+



See how SSL is encrypted
Show global variables like ' tls_version ';
+---------------+---------------+
| variable_name | Value |
+---------------+---------------+
| tls_version | tlsv1,tlsv1.1 |
+---------------+---------------+




(3) Configuring SSL Users
Canceling SSL authentication
Grant all privileges on * * to [email protected] '% ' identified by ' 123456 ' require none;
alter user [email protected] '% ' require none;
--Mandatory SSL authentication, even if mandatory SSL is set, the use of--ssl-mode=disable can still avoid SSL authentication at login time
Grant all privileges on * * to [email protected] '% ' identified by ' 123465 ' require SSL;
alter user [email protected] '% ' require SSL;



See if forcing users to use SSL is turned on
Select User,host,ssl_type,ssl_cipher from Mysql.user;
+-----------+-----------+----------+------------+
| user | Host | Ssl_type | Ssl_cipher |
+-----------+-----------+----------+------------+
| Root |          %         |            | |
| Mysql.sys |          localhost |            | |
| Abcssl | %         |            any | |
+-----------+-----------+----------+------------+


(4) When connecting to the database, bring SSL
Do not specify the client certificate method
5.6
--ssl 、--Disable-ssl 、--skip-ssl: In mysql5.7 is the option to be discarded, the future version is no longer supported, the--ssl-mode option is recommended,
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--ssl defaults to 1
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--ssl=0
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--ssl=1 defaults to 1
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--disable-ssl
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--skip-ssl

5.7
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--ssl-mode=disable
/usr/local/mysql/bin/mysql-uroot-p-h127.0.0.1--ssl-mode=required Default required

Connecting from another machine can also be SSL encrypted, indicating that you do not need to install the client certificate
/usr/local/mysql/bin/mysql-uroot-p-h10.105.45.133--ssl-mode=required



Specify the client certificate method, 5.6 of the way, 5.7 can also be used
/usr/local/mysql/bin/mysql--SSL-CA=/DATA/MYSQL/MYSQL3306/DATA/CA.PEM \
--SSL-CERT=/DATA/MYSQL/MYSQL3306/DATA/CLIENT-CERT.PEM \
--SSL-KEY=/DATA/MYSQL/MYSQL3306/DATA/CLIENT-KEY.PEM \
-uroot-p-h127.0.0.1



(5) Connect to verify that the connection is using SSL
\s = = Status
--------------
/usr/local/mysql/bin/mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_64) using Editline Wrapper client version

Connection id:69
Current database:
Current User: [email protected]
Ssl:cipher in use is Dhe-rsa-aes256-sha
Current Pager:stdout
Using outfile: '
Using delimiter:;
Server Version:5.7.18-log MySQL Community Server (GPL)
Protocol version:10
connection:127.0.0.1 via TCP/IP
Server CHARACTERSET:UTF8MB4
Db CHARACTERSET:UTF8MB4
Client Characterset:utf8
Conn. Characterset:utf8
TCP port:3306
uptime:28 min sec

Threads:2 questions:1755 Slow queries:0 opens:114 Flush tables:1 Open tables:102 queries per second avg:1.036
--------------











Workarounds for JDBC Clients
Add Ssl=true or False to the connection string URL:
Url=jdbc:mysql://127.0.0.1:3306/framework?characterencoding=utf8&usessl=true





SSL encryption method for MySQL 5.7

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
aes encryption method wordpress encryption method php soapclient ssl method for method ssl certificate encryption ssl vs encryption ssl encryption algorithm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More