我在 CentOS 8 机器上有一个 MariaDB 服务器(mariadb-10.3.17),还有一个客户端(openSUSE Leap 15.1),上面安装了 mariadb 10.2.31
我已使用 TLS 配置服务器,如下所示:
[mysqld]
...
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-cipher = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
...
该dbsrv.example.com_chain.pem
文件包含链证书(中间证书和CA证书)
我想为全部客户端,包括 MariaDB 服务器 VM 上的客户端。
因此,我在/etc/my.cnf.d/client.cnf
服务器的
[client]
default-character-set = utf8mb4
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-verify-server-cert = true
是的,证书是相同的,因为我们谈论的是同一台机器!
我有关于/etc/my.cnf.d/clients.cnf
openSUSE 的这个部分
[client]
default-character-set = utf8mb4
ssl_cert = /etc/my.cnf.d/certificates/jumphost.example.com_chain.pem
ssl_key = /etc/my.cnf.d/certificates/jumphost.example.com_key.pem
ssl-verify-server-cert = true
此设置不起作用。当我尝试从服务器上的客户端进行连接时(以 root 用户身份),出现此错误:
Enter password:
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
If I make the client as follows:
[client]
default-character-set = utf8mb4
ssl_cert = /etc/my.cnf.d/certificates/jumphost.example.com_chain.pem
ssl_key = /etc/my.cnf.d/certificates/jumphost.example.com_key.pem
(意思是,如果我删除ssl-verify-server-cert = true
,我能mysql
从客户端连接服务器但不是从 openSUSE 来的。
So, my questions are:
1. Why is client from the server not connected? My suspicion is on the private key permissions. But then, if I make the private key readable by anyone, it's not secure anymore.
I fixed this by creating a new dba group and added the users that can access mysql command and the relevant certificates. The Private Key is owned from `root:dba` and the permissions are `640`
2. What I am setting wrong and I cannot have 2-way verification on my TLS connections?
Log files are not helpful (no error messages) and the -v doesn't help either, no information.
答案1
1)正如您所怀疑的,这与密钥权限有关。
2)事实并非如此。
3) 你似乎误解了它的工作原理。在服务器上你需要:
SSL 证书
SSL 密钥
在客户端,您需要签名 CA 证书。
客户端验证服务器的真实性,而不是相反。