MySQl 使用 SSL 加密連線，增加安全性

Server 端

查出 ssl 變數得知 mysql 還沒有設定 ssl ，但有支援的

mysql -u root -p -e "show variables like '%ssl%';"

+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+

建立憑證

mkdir /etc/newcerts
cd /etc/newcerts
# CA 憑證
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
# server 憑證
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# client 憑證
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# 驗證憑證是否 ok
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

ps: 記得憑證要輸入的資訊不可都一樣，不然可能會在連線時遇到

ERROR 2026 (HY000): SSL connection error

編輯 /etc/my.cnf

[mysqld]
ssl-ca=/etc/newcerts/ca-cert.pem
ssl-cert=/etc/newcerts/server-cert.pem
ssl-key=/etc/newcerts/server-key.pem

這樣就支援 SSL 了

+---------------+-------------------------------+
| Variable_name | Value |
+---------------+-------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/newcerts/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/newcerts/server-cert.pem |
| ssl_cipher | DHE-RSA-AES256-SHA |
| ssl_key | /etc/newcerts/server-key.pem |
+---------------+-------------------------------+

授權使用者給 Client

grant all on *.* to [email protected] identified by '123456';

假如要讓連線一定要跑 SSL

grant all on *.* to 'cross'@'10.10.10.137' identified by '123456'  require ssl;

Client 端

從 server 端產生的 ca-cert 及 client-cert 與 client-key 放到 client 端

編輯 /etc/my.cnf

[client]
ssl-ca=/etc/newcerts/ca-cert.pem
ssl-cert=/etc/newcerts/client-cert.pem
ssl-key=/etc/newcerts/client-key.pem

測試

mysql -u cross -p123456 -h 10.10.10.134 -e 'status'

出現 (如下)，就代表設定對了

SSL:                    Cipher in use is DHE-RSA-AES256-SHA

或直接

mysql --ssl-ca=/etc/newcerts/ca-cert.pem --ssl-cert=/etc/newcerts/client-cert.pem --ssl-key=/etc/newcerts/client-key.pem -u cross -p123456 -h 10.10.10.134 -e 'status'

參考

1. http://dev.mysql.com/doc/refman/5.0/en/configuring-for-ssl.html
2. http://www.mysqlperformanceblog.com/2013/06/22/setting-up-mysql-ssl-and-secure-connections/
3. http://tedyeng.blogspot.tw/2008/09/using-ssl-for-secure-mysql-connection.html
4. http://www.mysqlfanboy.com/2011/11/simplified-mysql-ssl-connections/
5. http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html