背景:
如果在外网访问或复制数据,安全风险会被放大很多。由于项目的需要,需要直接与外部网络的实例同步。因此,本文引入SSL加密复制的方法,进一步提高数据的安全性。本文将一起介绍MySQL和MariaDB。
环境建设:
默认情况下,ssl是关闭的。如果have_ssl显示NO,说明数据库不支持ssl,需要重新编译安装才能支持。它显示为禁用以支持SSL,但并未打开。
>show variables like '%ssl%'; +---------------+----------+| Variable_name | Value |+---------------+----------+| have_openssl | DISABLED || have_ssl | DISABLED || ssl_ca | || ssl_capath | || ssl_cert | || ssl_cipher | || ssl_key | |+---------------+----------+现在打开SSL,并添加:
ssl重新启动数据库并再次检查:
show variables like '%ssl%';+---------------+-------+| Variable_name | Value |+---------------+-------+| have_openssl | YES || have_ssl | YES || ssl_ca | || ssl_capath | || ssl_cert | || ssl_cipher | || ssl_key | |+---------------+-------+接下来是配置SSL的关键点:
1:在主服务器上创建CA证书:
openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem2:在主服务器上创建服务器的证书:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem3:在主服务器上创建客户端的证书:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem以上 *** 作都是在master上进行的,都是在/etc/mysql/目录下进行的。这里需要注意的是,MySQL不同于MariaDB:
MySQL在生成上述证书时需要输入大量的用户信息。在CA上创建证书时,所有用户信息都要和CA中的一致,从国家到部门,否则会导致证书无法使用。默认按回车即可。如果用户信息相同,MariaDB将报告一个错误:
和
[ERROR] Slave I/O: error connecting to master ... - retry-time: 60 retries: 86400 message: SSL connection error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, Internal MariaDB error code: 2026MariaDB在生成上述证书时还需要输入大量的用户信息。不像MySQL,输入用户信息服务器和客户端不能一致。也就是说,服务器输入不同于客户端输入。具体原因看到这里,最后可以通过:
openssl verify -CAfile /etc/mysql/ca-cert.pem /etc/mysql/server-cert.pem /etc/mysql/client-cert.pem验证MariaDB证书的有效性。好了,所有的证书都已经生成,所以您需要修改主服务器上的配置文件来配置生成的证书:
ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem并将生成的证书ca-cert.pem、client-cert.pem和client-key.pem复制到从属服务器。
重启主服务器并检查SSL状态:
>show variables like '%ssl%';+---------------+----------------------------+| Variable_name | Value |+---------------+----------------------------+| have_openssl | DISABLED || have_ssl | DISABLED || ssl_ca | /etc/mysql/ca-cert.pem || ssl_capath | || ssl_cert | /etc/mysql/server-cert.pem || ssl_cipher | || ssl_key | /etc/mysql/server-key.pem |+---------------+----------------------------+发现Have_ssl被禁用。检查错误日志:
SSL error: Unable to get private key from '/etc/mysql/server-key.pem'141229 11:09:02 [Warning] Failed to setup SSL141229 11:09:02 [Warning] SSL error: Unable to get private key发现服务器的密钥不可用,在网上找到解决办法。可以自己看:http://askubuntu.com/questions/194074/enabling-SSL-in-MySQL,一般是openssl新版本的变化造成的。以下是重新生成服务器密钥的两种解决方案。pem:
方法1:OpenSSLRSA
openssl rsa -in server-key.pem -out server-key.pem再次检查SSL:
>show variables like '%ssl%';+---------------+----------------------------+| Variable_name | Value |+---------------+----------------------------+| have_openssl | YES || have_ssl | YES || ssl_ca | /etc/mysql/ca-cert.pem || ssl_capath | || ssl_cert | /etc/mysql/server-cert.pem || ssl_cipher | || ssl_key | /etc/mysql/server-key.pem |+---------------+----------------------------+方法二:在这里,还可以直接安装0.9.8x版本的openssl进行证书生成。
这一条用方法1解决。
当主服务器上的此 *** 作完成时,将生成另一个复制帐户:requires1
GRANT REPLICATION SLAVE ON *.* TO 'rep'@'192.168.200.%' IDENTIFIED BY '123456' REQUIRE SSL;然后从头开始配置。生成的证书之前已经给了从服务器,所以您可以在配置之前尝试使用SSL连接到主服务器:
$mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -h192.168.200.245 -urep -pEnter password: SSL error: Unable to get private key from 'client-key.pem'ERROR 2026 (HY000): SSL connection error同理,也是SSL的问题造成的。按照与重新生成server-key.pem相同的方式重新生成client-key.pem:
openssl rsa client.pem out client继续使用SSL测试连接:
$mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -h192.168.200.245 -urep -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 763Server version: 5.5.35-0ubuntu0.12.04.2-log (Ubuntu) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> \s--------------mysql Ver 14.14 Distrib 5.5.37, for debian-linux-gnu (x86_64) using readline 6.2Connection id: 763Current database: Current user: [email protected]: Cipher in use is DHE-RSA-AES256-SHACurrent pager: stdout Using outfile: ''Using delimiter: ; Server version: 5.5.35-0ubuntu0.12.04.2-log (Ubuntu) Protocol version: 10Connection: 192.168.200.245 via TCP/IP Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8 Conn. characterset: utf8 TCP port: 3306Uptime: 22 min 52 sec Threads: 3 Questions: 2325 Slow queries: 1 Opens: 7483 Flush tables: 1 Open tables: 100 Queries per second avg: 1.694SSL连接测试成功,登录的SSL协议为:使用的密码为dhe-RSA-aes256-sha
继续从以下位置配置SSL:
ssl ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/client-cert.pem ssl-key=/etc/mysql/client-key.pem查看是否支持SSL:
>show variables like '%ssl%';+---------------+----------------------------+| Variable_name | Value |+---------------+----------------------------+| have_openssl | YES || have_ssl | YES || ssl_ca | /etc/mysql/ca-cert.pem || ssl_capath | || ssl_cert | /etc/mysql/client-cert.pem || ssl_cipher | || ssl_key | /etc/mysql/client-key.pem |+---------------+----------------------------+从属SSL也得到正确支持,所以最后开始配置主从复制。从上面更改:
CHANGE MASTER TO MASTER_HOST='192.168.200.245', MASTER_USER='rep', MASTER_PASSWORD='123456', MASTER_LOG_FILE='mysql-bin.000042', MASTER_LOG_POS=521, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/client-key.pem'测试:
男:
>create table tmp_1229(id int,name varchar(100))default charset utf8;>insert into tmp_1229 values(1,'a'),(2,'b'),(3,'c');>select * from tmp_1229;+------+------+| id | name |+------+------+| 1 | a || 2 | b || 3 | c |+------+------+学生:
id name a b c上述同步成功。
摘要:
SSL(安全套接字层)及其继任者传输层安全性(TLS)是一种为网络通信提供安全性和数据完整性的安全协议。默认情况下,复制是明文传输的,SSL加密可以大大提高数据的安全性。在上述过程中,我遇到了一些问题:
1:因1:openssl版本问题导致的证书不可用,解决方法已在本文中说明。
2.2:MariaDB证书不可用是由于生成服务器端客户端证书时输入不一致造成的。本文还解释了解决方案。
3:如果配置有问题,可以找到SSL登录时的错误信息,可以直接定位问题出在哪里。
ssl登陆: mysql4:配置MariaDB的时候,可以在生成证书的时候直接验证,看看有没有问题。
验证: openssl verify CAfile etcmysqlcacert.pem etcmysqlservercert.pem etcmysqlclientcert.pem/etc/MySQL/server-cert.PEM:OK
/etc/MySQL/client-cert.PEM:OK
5:如果openssl版本没有问题,就不需要通过opensslrsa再次生成。具体安装和配置方法请参考本文。
更新时间(2016年3月19日):
今天做了mysql5.7的SSL复制,5.7安装的时候上面的pem文件已经在data目录下生成了,直接把客户端的pem复制到上面就可以了(注意复制后修改权限,把所有者改成mysql)。否则,报告一个错误:
Failed to set up SSL because of the following SSL library error: Unable to get certificate ... server-cert.pem Failed to set up SSL because of the following SSL library error: Unable to get private key ... server-cert.pem更多信息:
https://blog.marceloaltmann.com/en-MySQL-replication-with-SSL-pt-replicaCao-em-MySQL-com-SSL/
http://www.zhengdazhi.com/?p=856
http://dev.MySQL.com/doc/refman/5.5/en/replication-solutions-SSL.html
https://dev.MySQL.com/doc/refman/5.7/en/replication-solutions-secure-connections.html
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)