我有一个 CentOS 8,带有 MariaDB(10.3.17)。
服务器使用 TLS 设置,我已将服务器配置为使用双向 TLS,遵循 MariaDB 示例:https://mariadb.com/kb/en/securing-connections-for-client-and-server/#enabling-one-way-tls-for-mariadb-clients
localhost
但是,当我使用该连接时,我无法使双向 TLS 工作。
因此,我拥有的是:
mariadb-server
port = 3306
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-cipher = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
在客户端我有这个:
[client]
default-character-set = utf8mb4
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-verify-server-cert = true
证书_chain
有中级证书(我签署了 _crt 文件)和 CA 证书。CA 证书已添加到主机的信任存储中(尽管据我所知,它并未在 mariadb 中使用)
证书的CN为:
subject=C ... CN = dbsrv.example.com, ...
subject=C ... CN = jumphost.example.com, ...
subject=C ... CN = MyCA-Int, ...
现在的问题来了。
当我连接本地主机时,收到以下错误消息:
mysql -u root -p
Enter password:
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
但如果我通过 TCP 连接,它就可以工作:
mysql -h dbsrv.example.com -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.3.17-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \s
--------------
mysql Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 30
Current database:
Current user: [email protected]
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.17-MariaDB MariaDB Server
Protocol version: 10
Connection: dbsrv.example.com via TCP/IP
...
如果我ssl-verify-server-cert = true
从客户端配置中删除它,它也可以正常工作,但这不是我想要的。
mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.3.17-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \s
--------------
mysql Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 31
Current database:
Current user: root@localhost
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.17-MariaDB MariaDB Server
Protocol version: 10
Connection: Localhost via UNIX socket
----------------------------
```bash
mysql -h dbsrv.example.com -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.3.17-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \s
--------------
mysql Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 32
Current database:
Current user: [email protected]
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.17-MariaDB MariaDB Server
Protocol version: 10
Connection: dbsrv.example.com via TCP/IP
那么,我怎样才能让它localhost
也能与连接一起工作呢?