How SSL works in https and MySQL, sslmysql

Source: Internet
Author: User
Tags ssl connection asymmetric encryption

How SSL works in https and MySQL, sslmysql

I have known about the HTTPS communication process before. HTTPS is a version that uses SSL encryption for the HTTP protocol and adds the SSL protocol between TCP and HTTP. Authenticate the identities of both parties in the handshake phase and negotiate the symmetric key to encrypt the communication information. Here, only common one-way server verification is described. The general process is described as follows:

0: the Web server submits its public key and Web information to the authoritative CA. After the CA confirms the information, it uses its private key to sign the digest of the Web Information and Public Key, make a digital certificate to the Web server;
The client Web browser installs the root certificate of the trusted authoritative CA in advance (unsigned certificate or self-signed certificate)
1. The client initiates a connection request to the server, and the SSL version, asymmetric encryption algorithm, symmetric encryption algorithm, and digest generation algorithm are used for negotiation. Both parties reach a consensus.
2: The Web server sends its own digital certificate to the client. The client decrypts the certificate with the CA root certificate to prove that the Web server's identity is true and that the server's public key is correct.
3: the client uses the server public key to encrypt a random number and send it to the server as the symmetric key for sending and receiving data.
4: The server uses its own private key for decryption, obtains the symmetric key, and returns ACK.
5. Start Communication between the client and the server using the symmetric key.

 

When I learned about the SSL connection configuration of MySQL, I had a question. As a trusted third party, the HTTPS CA is responsible for verifying the identity of the server, while MySQL only communicates with two parties, I have never heard of another CA. How can I use SSL?

By checking the information on the Internet, I found that I did not understand many SSL-related concepts very accurately, and I did not understand the verification methods of the previous CA. First, clarify some concepts:

Public/private key pairs: asymmetric encryption algorithm. The public key and private key appear in pairs. Use the public key to encrypt and use the private key to decrypt.

CA: a certificate authority that is trusted by both parties. If you have a public/private key pair, and the website wants to prove that you are authentic and trustworthy, but you do not trust yourself. Instead, you only trust what the CA says. Therefore, the website submits its own information and public key to the CA, the CA verifies the website information and the submitted public key, and finds it reliable. Therefore, it signs the certificate and submits it to the website to become a qualification.

Signature: others do not know my private key, but do know my public key. How can I prove that this file is authenticated? I use my own private key for encryption. If someone else successfully decrypts the key using my public key, I must know that it was my encrypted key, and someone else could not do it. Specifically, calculate the hash value for the text content, and then encrypt the hash value with your own private key. (Someone else calculates the hash value for the text content, and then compares it with the value obtained by Decryption with my private key to prove that the signature is OK)

Certificate: contains three parts: the specific information of the contact (location, domain name, organization, owner, etc.), the public key of the contact, and the signature of the authoritative CA. (Calculate the hash value based on the specific information and public key, and then encrypt the hash value with your own private key)

Root Certificate: the authoritative CA also has its own certificate (after all, the CA Public Key is required to verify the authenticity of the website Certificate). who signed the CA certificate? After all, there is no higher level. Therefore, the root certificate is unsigned or self-signed, and no one has endorsed the certificate. Therefore, it is called root, which is the starting point of the trust chain.

 

Let's look at the SSL connection configuration of MySQL and think about the SSL communication process to understand why these files are needed (Here we describe the SSL one-way authentication mode)

MySQL server needs to configure 3 files: ssl-ca.pem, ssl-key.pem, ssl-cert.pem

Files required for client connection: ssl-ca.pem

The ssl-ca.pem acts as a trusted third party, the CA root certificate, the file contains the CA information and public key, the client and server have.

1. The client initiates a connection request to the MySQL server. Both parties negotiate the encryption algorithm and SSL version.

2. the server sends its own certificate (ssl-cert.pem content, CA signature) to the client, and the client decrypts it with the public key of the ssl-ca.pem to confirm that the server identity and public key are true.

3. The client generates random numbers as symmetric encryption keys, which are encrypted with the server's public key and sent to the server

4. The server uses its own private key (ssl-key.pem) decryption, get this random number, return ACK

5. Both parties use random numbers as keys for symmetric encryption and communication

 

The same is true for other application-layer protocols that use SSL for communication. If there is any inaccuracy, please leave a correct message and thank you.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.