SSL的作用

实现客户端和服务器之间的安全通讯(加密和完整性校验)

配置安装源

yum install -y https://dev.mysql.com/get/mysql57-community-release-el7-10.noarch.rpm

配置安装包

yum install -y mysql-community-server mysql-community-devel mysql-community-client

启动数据库

systemctl start mysqld
systemctl enable mysqld

初始化数据库

获取临时密码

cat /var/log/mysqld.log | grep 'A temporary password'

初始化数据库mysql_secure_installation

mysql_secure_installation

Enter password for user root:ufqLq&R6tgl%
[...]
New password:*******
Re-enter new password:*******
[...]
Change the password for root ? ((Press y|Y for Yes, any other key for No) : y
New password:*******
Re-enter new password:*******
[...]
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
[...]
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
[...]
Disallow root login remotely? (Press y|Y for Yes, any other key for No) :n
[...]
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
[...]
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
[...]

关闭密码复杂度要求和配置默认编码为utf8

cp /etc/my.cnf /etc/my.cnf.default
vim /etc/my.cnf

加入

[mysqld]
validate-password=off
character_set_server=utf8
init_connect='SET NAMES utf8'

重启数据库服务

systemctl restart mysqld

允许远程登录

mysql -uroot -p

use mysql
update user set host='%' where user = 'root';
flush privileges; 

确保本机安装SSL

查询MySQL是基于那种SSL

mysql -uroot -p

show status like 'rsa_public_key';

返回如下提示:
Empty set (0.00 sec)
以上表明官方的编译基于yaSSL,如果是基于openSSL,以下命令查看openSSL的版本
openssl version

生成所需的证书

mysql_ssl_rsa_setup

ls -l /var/lib/mysql/*.pem

MySQL配置文件中开启SSL

vim /etc/my.cnf

添加
ssl-ca = /var/lib/mysql/ca.pem 
ssl-cert = /var/lib/mysql/server-cert.pem 
ssl-key = /var/lib/mysql/server-key.pem

重启服务
systemctl restart mysqld

确认是否开启SSL

mysql -uroot -p

show global variables like 'have_%ssl';
显示如下:

+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
| have_ssl      | YES   |
+---------------+-------+
2 rows in set (0.00 sec)

查看SSL的加密方式

mysql -uroot -p
show global variables like 'tls_version';
显示如下:

+---------------+---------------+
| Variable_name | Value         |
+---------------+---------------+
| tls_version   | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0.00 sec)

客户端连接测试

mysql -uroot -h 192.168.1.2 -p

最好使用远程连接进行测试,localhost或者-S unix socket连接,这种有可能不会用ssl。

mysql> status
--------bin/mysql  Ver 14.14 Distrib 5.7.9, for Linux (x86_64) using  EditLine wrapper

Connection id:      10
Current database:   
Current user:       root@192.168.1.2
SSL:            Cipher in use is DHE-RSA-AES256-SHA
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;

status中SSL中显示Cipher in use,表明当前连接使用ssl

必须使用ssl登录的用户

更改mysql.user表 把ssl_type设置成ANY就好了

需要ssl
alter user 'root'@'%' require ssl;
不需要ssl
alter user 'ssltest'@'%' require none;