CentOS 8 上的 MariaDB 和 TLS 困难

tag-icon tag-icon ssl mariadb
CentOS 8 上的 MariaDB 和 TLS 困难

我在 CentOS 8 机器上有一个 MariaDB 服务器(mariadb-10.3.17),还有一个客户端(openSUSE Leap 15.1),上面安装了 mariadb 10.2.31

我已使用 TLS 配置服务器,如下所示:

[mysqld]
...
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca  = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-cipher = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
...

dbsrv.example.com_chain.pem文件包含链证书(中间证书和CA证书)

我想为全部客户端,包括 MariaDB 服务器 VM 上的客户端。
因此,我在/etc/my.cnf.d/client.cnf服务器的

[client]
default-character-set = utf8mb4
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-verify-server-cert = true

是的,证书是相同的,因为我们谈论的是同一台机器!

我有关于/etc/my.cnf.d/clients.cnfopenSUSE 的这个部分

[client]
default-character-set = utf8mb4
ssl_cert = /etc/my.cnf.d/certificates/jumphost.example.com_chain.pem
ssl_key = /etc/my.cnf.d/certificates/jumphost.example.com_key.pem
ssl-verify-server-cert = true

此设置不起作用。当我尝试从服务器上的客户端进行连接时(以 root 用户身份),出现此错误:

Enter password: 
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

If I make the client as follows: 


[client]
default-character-set = utf8mb4
ssl_cert = /etc/my.cnf.d/certificates/jumphost.example.com_chain.pem
ssl_key = /etc/my.cnf.d/certificates/jumphost.example.com_key.pem

(意思是,如果我删除ssl-verify-server-cert = true,我mysql从客户端连接服务器但不是从 openSUSE 来的。


So, my questions are:  
1. Why is client from the server not connected? My suspicion is on the private key permissions. But then, if I make the private key readable by anyone, it's not secure anymore.  

I fixed this by creating a new dba group and added the users that can access mysql command and the relevant certificates. The Private Key is owned from `root:dba` and the permissions are `640`

2. What I am setting wrong and I cannot have 2-way verification on my TLS connections?  

Log files are not helpful (no error messages) and the -v doesn't help either, no information.

答案1

1)正如您所怀疑的,这与密钥权限有关。

2)事实并非如此。

3) 你似乎误解了它的工作原理。在服务器上你需要:

  • SSL 证书

  • SSL 密钥

在客户端,您需要签名 CA 证书。

客户端验证服务器的真实性,而不是相反。

相关内容