On the principle of SSL in HTTPS and MySQL

Prior to the HTTPS communication process has been known, HTTPS is the application of the HTTP protocol using SSL encrypted version, between TCP and HTTP to increase the SSL protocol. Through the handshake phase authentication both sides identity, negotiates the symmetric secret key to encrypt the communication information. This describes only the commonly used server one-way verification, the approximate process is briefly described as follows:

0: In advance, the Web server submits its public key and web information to the authoritative Ca,ca confirmation, and uses its own private key to sign the Web information and the digest of the public key into a digital certificate to the Web server;
The client Web browser installs the root certificate (unsigned certificate or self-signed certificate) of the trusted authoritative CA beforehand
1: The client initiates a connection request to the server, negotiates the use of the SSL version, asymmetric encryption algorithm, symmetric encryption algorithm and digest generation algorithm, the two sides reached a consensus
2:web server sends its own digital certificate to the client, the client decrypts the root certificate of the CA, proves the authenticity of the Web server, and proves that the server public key is correct
3: The client encrypts a random number with the server public key, which is sent to the server as the symmetric key of the communication and receiving data.
4: The server decrypts its own private key, gets the symmetric key, returns the ACK
5: Client and server start communication with symmetric key

To learn the SSL connection configuration of MySQL generated a doubt, HTTPS has a CA as a trusted third party, responsible for confirming the server identity, and MySQL connection communication only 2 parties, did not hear that there is a CA from the coordination Ah, that also how SSL ah?

Through the online search data, found that their own SSL-related concepts are not very accurate understanding of the previous CA authentication method is not correct. First clarify some concepts:

Public private key pair: Asymmetric encryption algorithm, public key and private key in pairs appear, with public key encryption with private key decryption, with private key encryption with public key decryption

CA: Certification authority, third party trusted by both parties to the communication. Own public key pair, the site wants to prove that they are authentic, but users do not believe in themselves, only believe that the CA said, so the site submitted its own information and public key to CA,CA verify the site information and the public key submitted, feel reliable, so signed, made a certificate, to the site to become a qualification.

Signature: Others don't know my private key, but know my public key. How do I prove that this document is certified by me? I use my own private key encryption, others use my public key decryption success, it must know that I encrypt, others can not do. Specifically, the hash value is computed for the text content first, and then the hash value is encrypted with its own private key. (Other people calculate the hash value of the text content, and then use the value decrypted by my private key to compare, the unanimous proof of the signature OK)

Certificate: Contains 3 parts, the Communication party specific information (location, domain name, organization, owner, etc.), the public key of the communication party, the signature of the authoritative ca. (The details and the public key compute the hash value, and then encrypt the hash value with its own private key)

Root certificate: The authoritative CA also has its own certificate (after all, the CA's public key is required to verify the authenticity of the website certificate), the CA's certificate who signed AH? After all, there is no higher level, so the root certificate is unsigned or self-signed, no one to endorse the certificate, so called Root, is the beginning of the chain of trust, can be understood.

Then look at the SSL connection configuration of MySQL, consider the SSL communication process, you can understand why these files are needed (here describes the SSL one-way authentication mode)

MySQL server side to configure 3 files: Ssl-ca.pem, Ssl-key.pem, Ssl-cert.pem

Files required for Client connection: SSL-CA.PEM

SSL-CA.PEM acts as a trusted third-party, CA root certificate, which contains the CA's information and public key, both client and server.

1. The client initiates a connection request to the MySQL server, both parties negotiate the encryption algorithm, SSL version, etc.

2. The server sends its own certificate (SSL-CERT.PEM content, CA signed) to the client, and the client decrypts it with SSL-CA.PEM's public key to confirm the server identity and public key authenticity.

3. The client generates a random number as a secret key for symmetric encryption, which is encrypted with the server public key and sent to the server

4. The server decrypts its own private key (SSL-KEY.PEM), gets the random number, returns the ACK

5. The two sides use random numbers to do the key, the symmetric encryption method of communication

Extrapolate, other application-layer protocols use SSL communication, which is the same routine. If there are any inaccuracies, please leave a message, thank you.

On the principle of SSL in HTTPS and MySQL