启用mariadb上的ssl

bq3bfh9z  于 2021-06-20  发布在  Mysql
关注(0)|答案(1)|浏览(352)

我试图在docker容器中的mariadb上启用ssl,我在/etc/mysql/my.cnf文件中做了以下更改

ssl-ca=/etc/certs/client-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem

ssl_ca=/etc/certs/client-cert.pem
ssl_cert=/etc/certs/server-cert.pem
ssl_key=/etc/certs/server-key.pem

注意:我使用了带-和\u的变量名,因为我不确定使用哪个方案
我还在上面提到的路径中提供了证书,这里是“show variables like'%ssl%';”的结果

MariaDB [(none)]> show variables like '%ssl%';
+---------------------+----------------------------+
| Variable_name       | Value                      |
+---------------------+----------------------------+
| have_openssl        | YES                        |
| have_ssl            | YES                        |
| ssl_ca              | /etc/certs/client-cert.pem |
| ssl_capath          |                            |
| ssl_cert            | /etc/certs/server-cert.pem |
| ssl_cipher          |                            |
| ssl_crl             |                            |
| ssl_crlpath         |                            |
| ssl_key             | /etc/certs/server-key.pem  |
| version_ssl_library | OpenSSL 1.1.0g  2 Nov 2017 |
+---------------------+----------------------------+
10 rows in set (0.001 sec)

但这是我在mysql命令行上运行“status”命令时得到的结果

MariaDB [(none)]> status
--------------
mysql  Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          42
Current database:
Current user:           root@localhost
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.9-MariaDB-1:10.3.9+maria~bionic mariadb.org binary distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
UNIX socket:            /var/run/mysqld/mysqld.sock
Uptime:                 5 min 52 sec

它说ssl没有被使用,现在我不确定ssl是否被启用,或者我是否丢失了任何标志?我怎样才能知道它是否被启用?
这是完整的my.cnf文件


# MariaDB database server configuration file.

# 

# You can copy this file to one of:

# - "/etc/mysql/my.cnf" to set global options,

# - "~/.my.cnf" to set user-specific options.

# 

# One can use all long options that the program supports.

# Run program with --help to get a list of available options and with

# --print-defaults to see which it would actually understand and use.

# 

# For explanations see

# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients

# It has been reported that passwords should be enclosed with ticks/quotes

# escpecially if they contain "#" chars...

# Remember to edit /etc/mysql/debian.cnf when changing the socket location.

[client]
port            = 3306
socket          = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs

# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.

[mysqld_safe]
socket          = /var/run/mysqld/mysqld.sock
nice            = 0

[mysqld]

# 

# * Basic Settings

# 

# user           = mysql

pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages     = en_US
skip-external-locking

# 

# Instead of skip-networking the default is now to listen only on

# localhost which is more compatible and is not less secure.

# bind-address           = 127.0.0.1

# 

# * Fine Tuning

# 

max_connections         = 100
connect_timeout         = 5
wait_timeout            = 600
max_allowed_packet      = 16M
thread_cache_size       = 128
sort_buffer_size        = 4M
bulk_insert_buffer_size = 16M
tmp_table_size          = 32M
max_heap_table_size     = 32M

# 

# * MyISAM

# 

# This replaces the startup script and checks MyISAM tables if needed

# the first time they are touched. On error, make copy and try a repair.

myisam_recover_options = BACKUP
key_buffer_size         = 128M

# open-files-limit       = 2000

table_open_cache        = 400
myisam_sort_buffer_size = 512M
concurrent_insert       = 2
read_buffer_size        = 2M
read_rnd_buffer_size    = 1M

# 

# * Query Cache Configuration

# 

# Cache only tiny result sets, so we can fit more in the query cache.

query_cache_limit               = 128K
query_cache_size                = 64M

# for more write intensive setups, set to DEMAND or OFF

# query_cache_type               = DEMAND

# 

# * Logging and Replication

# 

# Both location gets rotated by the cronjob.

# Be aware that this log type is a performance killer.

# As of 5.1 you can enable the log at runtime!

# general_log_file        = /var/log/mysql/mysql.log

# general_log             = 1

# 

# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.

# 

# we do want to know about network errors and such

# log_warnings           = 2

# 

# Enable the slow query log to see queries with especially long duration

# slow_query_log[={0|1}]

slow_query_log_file     = /var/log/mysql/mariadb-slow.log
long_query_time = 10

# log_slow_rate_limit    = 1000

# log_slow_verbosity     = query_plan

# log-queries-not-using-indexes

# log_slow_admin_statements

# 

# The following can be used as easy to replay backup logs or for replication.

# note: if you are setting up a replication slave, see README.Debian about

# other settings you may need to change.

# server-id              = 1

# report_host            = master1

# auto_increment_increment = 2

# auto_increment_offset  = 1

# log_bin                        = /var/log/mysql/mariadb-bin

# log_bin_index          = /var/log/mysql/mariadb-bin.index

# not fab for performance, but safer

# sync_binlog            = 1

expire_logs_days        = 10
max_binlog_size         = 100M

# slaves

# relay_log              = /var/log/mysql/relay-bin

# relay_log_index        = /var/log/mysql/relay-bin.index

# relay_log_info_file    = /var/log/mysql/relay-bin.info

# log_slave_updates

# read_only

# 

# If applications support it, this stricter sql_mode prevents some

# mistakes like inserting invalid dates etc.

# sql_mode               = NO_ENGINE_SUBSTITUTION,TRADITIONAL

# 

# * InnoDB

# 

# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.

# Read the manual for more InnoDB related options. There are many!

default_storage_engine  = InnoDB

# you can't just change log file size, requires special procedure

# innodb_log_file_size   = 50M

innodb_buffer_pool_size = 256M
innodb_log_buffer_size  = 8M
innodb_file_per_table   = 1
innodb_open_files       = 400
innodb_io_capacity      = 400
innodb_flush_method     = O_DIRECT

# 

# * Security Features

# 

# Read the manual, too, if you want chroot!

# chroot = /var/lib/mysql/

# 

# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".

# 

ssl-ca=/etc/certs/client-cert.pem
ssl-cert=/etc/certs/server-cert.pem
ssl-key=/etc/certs/server-key.pem

ssl_ca=/etc/certs/client-cert.pem
ssl_cert=/etc/certs/server-cert.pem
ssl_key=/etc/certs/server-key.pem

# 

# * Galera-related settings

# 

[galera]

# Mandatory settings

# wsrep_on=ON

# wsrep_provider=

# wsrep_cluster_address=

# binlog_format=row

# default_storage_engine=InnoDB

# innodb_autoinc_lock_mode=2

# 

# Allow server to accept connections on all interfaces.

# 

# bind-address=0.0.0.0

# 

# Optional setting

# wsrep_slave_threads=1

# innodb_flush_log_at_trx_commit=0

[mysqldump]
quick
quote-names
max_allowed_packet      = 16M

[mysql]

# no-auto-rehash # faster start of mysql but no tab completion

[isamchk]
key_buffer              = 16M

# 

# * IMPORTANT: Additional settings that can override those from this file!

# The files must end with '.cnf', otherwise they'll be ignored.

# 

!include /etc/mysql/mariadb.cnf
!includedir /etc/mysql/conf.d/
rsl1atfo

rsl1atfo1#

我无法重现这个问题:

$ mysql -u user -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1
Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic-log mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \! ls -alF /path/to/MariaDB/ssl/
total 20
drwxr-xr-x 2 user user  140 Jan 01 00:01 ./
drwxr-xr-x 5 user user  240 Jan 01 00:01 ../
-r-----r-- 1 user user 1273 Jan 01 00:01 ca.pem
-r-----r-- 1 user user 1143 Jan 01 00:01 client-cert.pem
-r-----r-- 1 user user 1679 Jan 01 00:01 client-key.pem
-r-----r-- 1 user user 1147 Jan 01 00:01 server-cert.pem
-r-----r-- 1 user user 1679 Jan 01 00:01 server-key.pem

MariaDB [(none)]> \! cat /path/to/MariaDB/my.cnf
...
[client]
...

## MariaDB Client Configuration ##

ssl-ca=/path/to/MariaDB/ssl/ca.pem
ssl-cert=/path/to/MariaDB/ssl/client-cert.pem
ssl-key=/path/to/MariaDB/ssl/client-key.pem

### This option is disabled by default ###

ssl-verify-server-cert
...
...
[mysqld]
...

# 

# * Security Features

# 

ssl
ssl-ca=/path/to/MariaDB/ssl/ca.pem
ssl-cert=/path/to/MariaDB/ssl/server-cert.pem
ssl-key=/path/to/MariaDB/ssl/server-key.pem
ssl-cipher=TLSv1.2
...

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          1
Current database:       
Current user:           user@localhost
SSL:                    Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.9-MariaDB-1:10.3.9+maria~bionic-log mariadb.org binary distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /var/run/mysqld/mysqld.sock
Uptime:                 11 sec

Threads: 8  Questions: 61  Slow queries: 0  Opens: 32  Flush tables: 1  Open tables: 26  Queries per second avg: 5.545
--------------

MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+--------------------------------------+
| Variable_name       | Value                                |
+---------------------+--------------------------------------+
| have_openssl        | YES                                  |
| have_ssl            | YES                                  |
| ssl_ca              | /path/to/MariaDB/ssl/ca.pem          |
| ssl_capath          |                                      |
| ssl_cert            | /path/to/MariaDB/ssl/server-cert.pem |
| ssl_cipher          | TLSv1.2                              |
| ssl_crl             |                                      |
| ssl_crlpath         |                                      |
| ssl_key             | /path/to/MariaDB/ssl/server-key.pem  |
| version_ssl_library | OpenSSL 1.1.0g  2 Nov 2017           |
+---------------------+--------------------------------------+
10 rows in set (0.001 sec)

相关问题