MariaDB、TLS 和本地主机连接

tag-icon tag-icon ssl mariadb
MariaDB、TLS 和本地主机连接

我有一个 CentOS 8,带有 MariaDB(10.3.17)。
服务器使用 TLS 设置,我已将服务器配置为使用双向 TLS,遵循 MariaDB 示例:https://mariadb.com/kb/en/securing-connections-for-client-and-server/#enabling-one-way-tls-for-mariadb-clients

localhost但是,当我使用该连接时,我无法使双向 TLS 工作。

因此,我拥有的是:

mariadb-server

port = 3306
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca  = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-cipher = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

在客户端我有这个:

[client]
default-character-set = utf8mb4
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-verify-server-cert = true

证书_chain有中级证书(我签署了 _crt 文件)和 CA 证书。CA 证书已添加到主机的信任存储中(尽管据我所知,它并未在 mariadb 中使用)

证书的CN为:

subject=C ... CN = dbsrv.example.com, ...
subject=C ... CN = jumphost.example.com, ...
subject=C ... CN = MyCA-Int, ...

现在的问题来了。

当我连接本地主机时,收到以下错误消息:

mysql  -u root -p
Enter password: 
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

但如果我通过 TCP 连接,它就可以工作:

mysql -h dbsrv.example.com -u root -p      
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          30
Current database:
Current user:           [email protected]
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.17-MariaDB MariaDB Server
Protocol version:       10
Connection:             dbsrv.example.com via TCP/IP
...

如果我ssl-verify-server-cert = true从客户端配置中删除它,它也可以正常工作,但这不是我想要的。

mysql  -u root -p              
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          31
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.17-MariaDB MariaDB Server
Protocol version:       10
Connection:             Localhost via UNIX socket

----------------------------

```bash
mysql -h dbsrv.example.com -u root -p
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          32
Current database:
Current user:           [email protected]
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.17-MariaDB MariaDB Server
Protocol version:       10
Connection:             dbsrv.example.com via TCP/IP

那么,我怎样才能让它localhost也能与连接一起工作呢?

相关内容