我正在尝试为 MySQL 启用 SSL 连接——SSL 将在 MySQL 中显示为已启用,但由于此错误,我无法建立任何连接:错误 2026 (HY000):SSL 连接错误:ASN:其他签名确认错误
我正在运行以下命令:
Ubuntu Version: 14.04.1 LTS (GNU/Linux 3.13.0-34-generic x86_64)
MySQL Version: 5.5.38-0ubuntu0.14.04.1
OpenSSL Version: OpenSSL 1.0.1f 6 Jan 2014
我使用这些命令来生成我的证书(全部在 /etc/mysql 中生成):
openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=NY/O=MyCompany/CN=ca"
openssl req -newkey rsa:2048 -nodes -days 3650 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=NY/O=MyCompany/CN=server"
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
openssl req -newkey rsa:2048 -nodes -days 3650 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=NY/O=MyCompany/CN=client"
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
我在 my.cnf 中输入了以下内容:
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
当我尝试指定客户端证书进行连接时,出现以下错误:
mysql -uroot -ppassword --ssl-ca=/etc/mysql/ca-cert.pem --ssl-cert=/etc/mysql/client-cert.pem --ssl-key=/etc/mysql/client-key.pem
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
如果我不使用 SSL 进行连接,我可以看到 MySQL 已正确加载证书:
mysql -uroot -ppassword --ssl=false
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------+
| Variable_name | Value |
+---------------+----------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/server-key.pem |
+---------------+----------------------------+
7 rows in set (0.00 sec)
我生成的证书通过了OpenSSL的验证和模数:
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
我遗漏了什么?我之前在另一台服务器上使用过同样的过程,并且成功了 - 但是 Ubuntu 版本是 12.04 LTS,而 OpenSSL 版本较旧(具体记不清了)。最新的 OpenSSL 有什么变化吗?
任何帮助,将不胜感激!
答案1
我用了:
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem;
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem;
# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem;
openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem;
openssl rsa -in server-key.pem -out server-key.pem;
# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem;
openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem;
openssl rsa -in client-key.pem -out client-key.pem;
设置我的 ssl (ubuntu 12.04)。我的 mysql 配置包含:
[client]
ssl-cert=/etc/mysql/client-cert.pem
ssl-key=/etc/mysql/client-key.pem
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
看一下这个帖子用于调试 SSL。以及这个帖子针对 openssl 中的变化(ubuntu 10.04 -> 14.04)。
答案2
补充@tersmitten 的回答:
首先:现在的 SHA1 哈希算法太弱了,MySQL 客户端的连接会失败并出现错误TLS/SSL error: ca md too weak。要解决此问题,请在@tersmitten 的答案中将其更改-sha1为。-sha256
其次,如果在无人值守的场景中使用此设置,则可以通过将主题行作为参数添加到三行来避免交互式提示openssl req,例如:
-subj "/C=GB/ST=London/L=London/O=My Organisation/CN=www.example.com"
注意:服务器和客户端证书不能具有相同的通用名称 (CN),否则certification verification failed将显示错误,本指南