mysql - 在 Ubuntu 14.04 上为 MySQL 设置 SSL 连接时出现问题

Question

我已经为此苦苦思索了几天，我真的束手无策......

我正在尝试在 ubuntu 14.04 上运行的 MySQL 5.7.10 上设置 SSL 连接，无论我做什么，在尝试连接时要求使用 SSL 的用户总是被拒绝访问。

我能够在 Windows(我们的开发机器)上轻松设置 SSL，但出于对我的爱，无法让它在 Linux 上运行。

我尝试使用安装 MySQL 时提供的证书(位于/var/lib/mysql 目录中)。我还尝试使用 this procedure 生成新的.我什至尝试导入我在 Windows 上使用 MySQL Workbench 生成的证书(实际上在 Windows 上运行的证书)，但没有任何效果。

当启动 MySQL 时，SSL 似乎没问题，因为我只在/var/log/mysql/err.log 中得到它

2015-12-17T18:25:32.687582Z 0 [Warning] CA certificate /var/lib/mysql/ca.pem is self signed.

SSL 在 MySQL 中开启

mysql> SHOW VARIABLES LIKE '%SSL%';
+---------------+--------------------------------+
| Variable_name | Value                          |
+---------------+--------------------------------+
| have_openssl  | YES                            |
| have_ssl      | YES                            |
| ssl_ca        | /var/lib/mysql/ca.pem          |
| ssl_capath    |                                |
| ssl_cert      | /var/lib/mysql/server-cert.pem |
| ssl_cipher    |                                |
| ssl_crl       |                                |
| ssl_crlpath   |                                |
| ssl_key       | /var/lib/mysql/server-key.pem  |
+---------------+--------------------------------+

我已经将服务器和客户端证书的路径放在/etc/mysql/my.cnf 中

[client]
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem

[mysqld]
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem

我什至尝试为 mysql 禁用 appArmor，以防万一，当尝试连接需要 ssl 的测试用户时，我总是得到 sema 结果:

CREATE USER 'test'@'localhost' IDENTIFIED BY 'test';
GRANT USAGE ON *.* TO 'test'@'localhost' REQUIRE ssl;
FLUSH PRIVILEGES;

尝试连接时:

> /usr/bin$ mysql -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)

手动指定客户端证书时同样的事情:

> mysql --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --host=localhost --user=test --password
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)

有人知道吗？我不明白为什么在 Windows 上运行良好的 setuyp 在 Linux 上会让我如此悲伤。

有没有办法进一步调试？

提前致谢 /塞巴斯

Answer 1

我的测试:

错误日志:

[Warning] CA certificate ca.pem is self signed.

$ sudo mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.10 MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT VERSION(); -- MySQL Community Server
+-----------+
| VERSION() |
+-----------+
| 5.7.10    |
+-----------+
1 row in set (0.00 sec)

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | YES             |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+
9 rows in set (0.00 sec)

mysql> CREATE USER 'test'@'localhost' IDENTIFIED BY 'test' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

$ mysql -u test -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)

$ mysql -u test -p --ssl
Enter password: 

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.10 MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> SHOW SESSION STATUS LIKE '%Ssl_version%';
+---------------+---------+
| Variable_name | Value   |
+---------------+---------+
| Ssl_version   | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)

更新:测试详情。

mysqld.cnf:

[client]
...
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem

[mysqld]
...
# SSL Settings
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem

是的，证书由 MySQL 自动生成。参见 6.3.13 Creating SSL and RSA Certificates and Keys .检查访问证书的安全权限。

错误日志:

[Warning] CA certificate /var/lib/mysql/ca.pem is self signed.

$ sudo mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.10 MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT VERSION(); -- MySQL Community Server
+-----------+
| VERSION() |
+-----------+
| 5.7.10    |
+-----------+
1 row in set (0.00 sec)

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+--------------------------------+
| Variable_name | Value                          |
+---------------+--------------------------------+
| have_openssl  | YES                            |
| have_ssl      | YES                            |
| ssl_ca        | /var/lib/mysql/ca.pem          |
| ssl_capath    |                                |
| ssl_cert      | /var/lib/mysql/server-cert.pem |
| ssl_cipher    |                                |
| ssl_crl       |                                |
| ssl_crlpath   |                                |
| ssl_key       | /var/lib/mysql/server-key.pem  |
+---------------+--------------------------------+
9 rows in set (0,01 sec)

mysql> CREATE USER 'test'@'localhost' IDENTIFIED BY 'test' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

$ mysql -u test -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)

$ mysql -u test -p --ssl
Enter password: 

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.10 MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> SHOW SESSION STATUS LIKE '%Ssl_version%';
+---------------+---------+
| Variable_name | Value   |
+---------------+---------+
| Ssl_version   | TLSv1.1 |
+---------------+---------+
1 row in set (0.00 sec)