主页 / dba / 问题 / 333611
Accepted
Potter
Asked: 2023-11-30 22:55:19 +0800 CST

MySQL - 具有“REQUIRE SSL”选项的用户是否仍然能够在不提供任何 SSL 或 CA 证书的情况下登录?

  • 772

我的 MySQL 服务器已正确配置以下参数

mysql> show global variables like '%have_ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.00 sec)

mysql> show global variables like 'ssl_ca';
+---------------+--------+
| Variable_name | Value  |
+---------------+--------+
| ssl_ca        | ca.pem |
+---------------+--------+
1 row in set (0.00 sec)

mysql> show global variables like 'ssl_cert';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| ssl_cert      | server-cert.pem |
+---------------+-----------------+
1 row in set (0.00 sec)

mysql> show global variables like 'ssl_key';
+---------------+----------------+
| Variable_name | Value          |
+---------------+----------------+
| ssl_key       | server-key.pem |
+---------------+----------------+
1 row in set (0.00 sec)
mysql> show global variables like 'datadir';
+---------------+---------+
| Variable_name | Value   |
+---------------+---------+
| datadir       | /dados/ |
+---------------+---------+
1 row in set (0.00 sec)

这些文件存在于datadir

[root@mysqlen1 dados]# ls -l ca.pem server-cert.pem server-key.pem
-rw-r--r-- 1 mysql mysql 1112 Nov  3 10:28 ca.pem
-rw-r--r-- 1 mysql mysql 1112 Nov  3 10:28 server-cert.pem
-rw------- 1 mysql mysql 1680 Nov  3 10:28 server-key.pem

然后我创建一个用户:

mysql> create user 'teste'@'%' identified by 'teste123' require ssl;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

我可以使用证书进行连接

[root@TCCPUC-ENGDADOS:~]# mysql -uteste -p'teste123' -h 192.168.0.110 --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 30
Server version: 8.0.28 MySQL Community Server - GPL

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

但也没有证书

[root@TCCPUC-ENGDADOS:~]# mysql -uteste -p'teste123' -h 192.168.0.110
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 8.0.28 MySQL Community Server - GPL

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

它是否正确?我可以强制用户仅使用这些证书登录吗?

mysql

2 个回答

  1. Best Answer

    指定用户REQUIRE SSL并不意味着该用户需要证书。SSL 用于加密传输,而证书用于身份验证。

    您可以创建一个用户,并REQUIRE X509选择强制客户端使用证书。

    • 1

  2. 您可以mysqld使用require_secure_transport进行配置

    客户端与服务器的连接是否需要使用某种形式的安全传输。启用此变量后,服务器仅允许使用 TLS/SSL 加密的 TCP/IP 连接,或使用套接字文件(在 Unix 上)或共享内存(在 Windows 上)的连接。服务器拒绝非安全连接尝试,该连接尝试会失败并出现 ER_SECURE_TRANSPORT_REQUIRED 错误

    此功能补充了优先考虑的每帐户 SSL 要求。例如,如果使用 REQUIRE SSL 定义帐户,则启用 require_secure_transport 无法使用该帐户通过 Unix 套接字文件进行连接。

    加密连接的服务器端启动配置

    [mysqld]
ssl_ca=ca.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem
require_secure_transport=ON
    • 0

相关问题