启用mariadb上的ssl

mepcadol  于 2021-06-20  发布在  Mysql
关注(0)|答案(1)|浏览(446)

我试图在docker容器中的mariadb上启用ssl,我在/etc/mysql/my.cnf文件中做了以下更改

  1. ssl-ca=/etc/certs/client-cert.pem
  2. ssl-cert=/etc/certs/server-cert.pem
  3. ssl-key=/etc/certs/server-key.pem
  4. ssl_ca=/etc/certs/client-cert.pem
  5. ssl_cert=/etc/certs/server-cert.pem
  6. ssl_key=/etc/certs/server-key.pem

注意:我使用了带-和\u的变量名,因为我不确定使用哪个方案
我还在上面提到的路径中提供了证书,这里是“show variables like'%ssl%';”的结果

  1. MariaDB [(none)]> show variables like '%ssl%';
  2. +---------------------+----------------------------+
  3. | Variable_name | Value |
  4. +---------------------+----------------------------+
  5. | have_openssl | YES |
  6. | have_ssl | YES |
  7. | ssl_ca | /etc/certs/client-cert.pem |
  8. | ssl_capath | |
  9. | ssl_cert | /etc/certs/server-cert.pem |
  10. | ssl_cipher | |
  11. | ssl_crl | |
  12. | ssl_crlpath | |
  13. | ssl_key | /etc/certs/server-key.pem |
  14. | version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 |
  15. +---------------------+----------------------------+
  16. 10 rows in set (0.001 sec)

但这是我在mysql命令行上运行“status”命令时得到的结果

  1. MariaDB [(none)]> status
  2. --------------
  3. mysql Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
  4. Connection id: 42
  5. Current database:
  6. Current user: root@localhost
  7. SSL: Not in use
  8. Current pager: stdout
  9. Using outfile: ''
  10. Using delimiter: ;
  11. Server: MariaDB
  12. Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic mariadb.org binary distribution
  13. Protocol version: 10
  14. Connection: Localhost via UNIX socket
  15. Server characterset: latin1
  16. Db characterset: latin1
  17. Client characterset: latin1
  18. Conn. characterset: latin1
  19. UNIX socket: /var/run/mysqld/mysqld.sock
  20. Uptime: 5 min 52 sec

它说ssl没有被使用,现在我不确定ssl是否被启用,或者我是否丢失了任何标志?我怎样才能知道它是否被启用?
这是完整的my.cnf文件

  1. # MariaDB database server configuration file.
  2. #
  3. # You can copy this file to one of:
  4. # - "/etc/mysql/my.cnf" to set global options,
  5. # - "~/.my.cnf" to set user-specific options.
  6. #
  7. # One can use all long options that the program supports.
  8. # Run program with --help to get a list of available options and with
  9. # --print-defaults to see which it would actually understand and use.
  10. #
  11. # For explanations see
  12. # http://dev.mysql.com/doc/mysql/en/server-system-variables.html
  13. # This will be passed to all mysql clients
  14. # It has been reported that passwords should be enclosed with ticks/quotes
  15. # escpecially if they contain "#" chars...
  16. # Remember to edit /etc/mysql/debian.cnf when changing the socket location.
  17. [client]
  18. port = 3306
  19. socket = /var/run/mysqld/mysqld.sock
  20. # Here is entries for some specific programs
  21. # The following values assume you have at least 32M ram
  22. # This was formally known as [safe_mysqld]. Both versions are currently parsed.
  23. [mysqld_safe]
  24. socket = /var/run/mysqld/mysqld.sock
  25. nice = 0
  26. [mysqld]
  27. #
  28. # * Basic Settings
  29. #
  30. # user = mysql
  31. pid-file = /var/run/mysqld/mysqld.pid
  32. socket = /var/run/mysqld/mysqld.sock
  33. port = 3306
  34. basedir = /usr
  35. datadir = /var/lib/mysql
  36. tmpdir = /tmp
  37. lc_messages_dir = /usr/share/mysql
  38. lc_messages = en_US
  39. skip-external-locking
  40. #
  41. # Instead of skip-networking the default is now to listen only on
  42. # localhost which is more compatible and is not less secure.
  43. # bind-address = 127.0.0.1
  44. #
  45. # * Fine Tuning
  46. #
  47. max_connections = 100
  48. connect_timeout = 5
  49. wait_timeout = 600
  50. max_allowed_packet = 16M
  51. thread_cache_size = 128
  52. sort_buffer_size = 4M
  53. bulk_insert_buffer_size = 16M
  54. tmp_table_size = 32M
  55. max_heap_table_size = 32M
  56. #
  57. # * MyISAM
  58. #
  59. # This replaces the startup script and checks MyISAM tables if needed
  60. # the first time they are touched. On error, make copy and try a repair.
  61. myisam_recover_options = BACKUP
  62. key_buffer_size = 128M
  63. # open-files-limit = 2000
  64. table_open_cache = 400
  65. myisam_sort_buffer_size = 512M
  66. concurrent_insert = 2
  67. read_buffer_size = 2M
  68. read_rnd_buffer_size = 1M
  69. #
  70. # * Query Cache Configuration
  71. #
  72. # Cache only tiny result sets, so we can fit more in the query cache.
  73. query_cache_limit = 128K
  74. query_cache_size = 64M
  75. # for more write intensive setups, set to DEMAND or OFF
  76. # query_cache_type = DEMAND
  77. #
  78. # * Logging and Replication
  79. #
  80. # Both location gets rotated by the cronjob.
  81. # Be aware that this log type is a performance killer.
  82. # As of 5.1 you can enable the log at runtime!
  83. # general_log_file = /var/log/mysql/mysql.log
  84. # general_log = 1
  85. #
  86. # Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
  87. #
  88. # we do want to know about network errors and such
  89. # log_warnings = 2
  90. #
  91. # Enable the slow query log to see queries with especially long duration
  92. # slow_query_log[={0|1}]
  93. slow_query_log_file = /var/log/mysql/mariadb-slow.log
  94. long_query_time = 10
  95. # log_slow_rate_limit = 1000
  96. # log_slow_verbosity = query_plan
  97. # log-queries-not-using-indexes
  98. # log_slow_admin_statements
  99. #
  100. # The following can be used as easy to replay backup logs or for replication.
  101. # note: if you are setting up a replication slave, see README.Debian about
  102. # other settings you may need to change.
  103. # server-id = 1
  104. # report_host = master1
  105. # auto_increment_increment = 2
  106. # auto_increment_offset = 1
  107. # log_bin = /var/log/mysql/mariadb-bin
  108. # log_bin_index = /var/log/mysql/mariadb-bin.index
  109. # not fab for performance, but safer
  110. # sync_binlog = 1
  111. expire_logs_days = 10
  112. max_binlog_size = 100M
  113. # slaves
  114. # relay_log = /var/log/mysql/relay-bin
  115. # relay_log_index = /var/log/mysql/relay-bin.index
  116. # relay_log_info_file = /var/log/mysql/relay-bin.info
  117. # log_slave_updates
  118. # read_only
  119. #
  120. # If applications support it, this stricter sql_mode prevents some
  121. # mistakes like inserting invalid dates etc.
  122. # sql_mode = NO_ENGINE_SUBSTITUTION,TRADITIONAL
  123. #
  124. # * InnoDB
  125. #
  126. # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
  127. # Read the manual for more InnoDB related options. There are many!
  128. default_storage_engine = InnoDB
  129. # you can't just change log file size, requires special procedure
  130. # innodb_log_file_size = 50M
  131. innodb_buffer_pool_size = 256M
  132. innodb_log_buffer_size = 8M
  133. innodb_file_per_table = 1
  134. innodb_open_files = 400
  135. innodb_io_capacity = 400
  136. innodb_flush_method = O_DIRECT
  137. #
  138. # * Security Features
  139. #
  140. # Read the manual, too, if you want chroot!
  141. # chroot = /var/lib/mysql/
  142. #
  143. # For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
  144. #
  145. ssl-ca=/etc/certs/client-cert.pem
  146. ssl-cert=/etc/certs/server-cert.pem
  147. ssl-key=/etc/certs/server-key.pem
  148. ssl_ca=/etc/certs/client-cert.pem
  149. ssl_cert=/etc/certs/server-cert.pem
  150. ssl_key=/etc/certs/server-key.pem
  151. #
  152. # * Galera-related settings
  153. #
  154. [galera]
  155. # Mandatory settings
  156. # wsrep_on=ON
  157. # wsrep_provider=
  158. # wsrep_cluster_address=
  159. # binlog_format=row
  160. # default_storage_engine=InnoDB
  161. # innodb_autoinc_lock_mode=2
  162. #
  163. # Allow server to accept connections on all interfaces.
  164. #
  165. # bind-address=0.0.0.0
  166. #
  167. # Optional setting
  168. # wsrep_slave_threads=1
  169. # innodb_flush_log_at_trx_commit=0
  170. [mysqldump]
  171. quick
  172. quote-names
  173. max_allowed_packet = 16M
  174. [mysql]
  175. # no-auto-rehash # faster start of mysql but no tab completion
  176. [isamchk]
  177. key_buffer = 16M
  178. #
  179. # * IMPORTANT: Additional settings that can override those from this file!
  180. # The files must end with '.cnf', otherwise they'll be ignored.
  181. #
  182. !include /etc/mysql/mariadb.cnf
  183. !includedir /etc/mysql/conf.d/
0wi1tuuw

0wi1tuuw1#

我无法重现这个问题:

  1. $ mysql -u user -p
  2. Enter password:
  3. Welcome to the MariaDB monitor. Commands end with ; or \g.
  4. Your MariaDB connection id is 1
  5. Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic-log mariadb.org binary distribution
  6. Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
  7. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  8. MariaDB [(none)]> \! ls -alF /path/to/MariaDB/ssl/
  9. total 20
  10. drwxr-xr-x 2 user user 140 Jan 01 00:01 ./
  11. drwxr-xr-x 5 user user 240 Jan 01 00:01 ../
  12. -r-----r-- 1 user user 1273 Jan 01 00:01 ca.pem
  13. -r-----r-- 1 user user 1143 Jan 01 00:01 client-cert.pem
  14. -r-----r-- 1 user user 1679 Jan 01 00:01 client-key.pem
  15. -r-----r-- 1 user user 1147 Jan 01 00:01 server-cert.pem
  16. -r-----r-- 1 user user 1679 Jan 01 00:01 server-key.pem
  17. MariaDB [(none)]> \! cat /path/to/MariaDB/my.cnf
  18. ...
  19. [client]
  20. ...
  21. ## MariaDB Client Configuration ##
  22. ssl-ca=/path/to/MariaDB/ssl/ca.pem
  23. ssl-cert=/path/to/MariaDB/ssl/client-cert.pem
  24. ssl-key=/path/to/MariaDB/ssl/client-key.pem
  25. ### This option is disabled by default ###
  26. ssl-verify-server-cert
  27. ...
  28. ...
  29. [mysqld]
  30. ...
  31. #
  32. # * Security Features
  33. #
  34. ssl
  35. ssl-ca=/path/to/MariaDB/ssl/ca.pem
  36. ssl-cert=/path/to/MariaDB/ssl/server-cert.pem
  37. ssl-key=/path/to/MariaDB/ssl/server-key.pem
  38. ssl-cipher=TLSv1.2
  39. ...
  40. MariaDB [(none)]> \s
  41. --------------
  42. mysql Ver 15.1 Distrib 10.3.9-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
  43. Connection id: 1
  44. Current database:
  45. Current user: user@localhost
  46. SSL: Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
  47. Current pager: stdout
  48. Using outfile: ''
  49. Using delimiter: ;
  50. Server: MariaDB
  51. Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic-log mariadb.org binary distribution
  52. Protocol version: 10
  53. Connection: Localhost via UNIX socket
  54. Server characterset: utf8
  55. Db characterset: utf8
  56. Client characterset: utf8
  57. Conn. characterset: utf8
  58. UNIX socket: /var/run/mysqld/mysqld.sock
  59. Uptime: 11 sec
  60. Threads: 8 Questions: 61 Slow queries: 0 Opens: 32 Flush tables: 1 Open tables: 26 Queries per second avg: 5.545
  61. --------------
  62. MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
  63. +---------------------+--------------------------------------+
  64. | Variable_name | Value |
  65. +---------------------+--------------------------------------+
  66. | have_openssl | YES |
  67. | have_ssl | YES |
  68. | ssl_ca | /path/to/MariaDB/ssl/ca.pem |
  69. | ssl_capath | |
  70. | ssl_cert | /path/to/MariaDB/ssl/server-cert.pem |
  71. | ssl_cipher | TLSv1.2 |
  72. | ssl_crl | |
  73. | ssl_crlpath | |
  74. | ssl_key | /path/to/MariaDB/ssl/server-key.pem |
  75. | version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 |
  76. +---------------------+--------------------------------------+
  77. 10 rows in set (0.001 sec)
展开查看全部

相关问题