我已按照以下步骤添加 mysql ssl 支持服务器 A:
# Generate a CA key and certificate with SHA1 digest
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem
# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
openssl rsa -in client-key.pem -out client-key.pem
服务器 A nano /etc/mysql/my.cnf
bind-address = 0.0.0.0
[client]
ssl-ca=/etc/mysql/ca-cert.pem
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
并测试 SSL 支持
mysql -u root -p
mysql> show variables like "%ssl%";
This is resoult from my ubuntu 14.04 test machine
mysql> show variables like "%ssl%";
+---------------+----------------------------+
| Variable_name | Value |
+---------------+----------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/server-key.pem |
+---------------+----------------------------+
9 rows in set (0.00 sec)
服务器 Bnano /etc/mysql/my.cnf
[client]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/client-cert.pem
ssl-key=/etc/mysql/client-key.pem
服务器B: 我正在测试的 php 脚本:
$con=mysqli_init();
if (!$con){
die("mysqli_init failed");
}
mysqli_ssl_set($con, "/var/www/certs/client-key.pem","/var/www/certs/client-cert.pem","/var/www/certs/ca-cert.pem",NULL, "AES256-SHA");
if (!mysqli_real_connect(
$con,"127.0.0.1","user", 'password',"db", 3306)){
die("Connect Error: " . mysqli_connect_error());
}
mysqli_close($con);
我收到的错误:
PHP Warning: mysqli_real_connect(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in ...
我在服务器 B 上运行 php 脚本,并且 mysql db 在服务器 A 上。
当我尝试通过控制台从服务器 B 连接到 A 时,它连接上了。代码:
mysql -h SERVER_A_IP -P 3306 -uuser -ppassword
答案1
发生这种情况的原因是,默认情况下,OpenSSL 会尝试验证您的证书的证书链。您的证书是自签名的,也就是说,没有其他实体验证过它,这就是 OpenSSL 中证书验证失败的原因。
为了禁用证书验证,您需要MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT在调用中添加标志mysqli_real_connect()。
您的测试之所以mysql有效,是因为您在测试中没有使用 SSL 进行连接。您需要单独启用 SSL 才能mysql进行测试。