Mysql8.4配置ssl

jiawang

数据库服务器上
mkdir -p /etc/mysql/ssl
cd /etc/mysql/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout my-private.key -out my-cert.pem
chmod 400 my-private.key
chmod 444 my-cert.pem


[root@sztech ssl]# ll
total 8
-rw-r--r--. 1 root root 1220 Oct 15 17:08 my-cert.pem
-rw-r--r--. 1 root root 1704 Oct 15 17:08 my-private.key
[root@sztech ssl]#
服务端参数配置
My.cnf参数文件增加：
[mysqld]
tls_version = TLSv1.2,TLSv1.3
require_secure_transport=on
ssl-ca = /etc/mysql/ssl/my-cert.pem
ssl-cert = /etc/mysql/ssl/my-cert.pem
ssl-key = /etc/mysql/ssl/my-private.key

SSL用户的创建
Create user ‘wj'@'%' identified by ‘wj1234’;
grant all on *.* to 'wj'@'%' ;
ALTER USER ‘wj'@'%'  REQUIRE SSL;
FLUSH PRIVILEGES;

服务器上测试验证
不带ssl登录报错
[root@sztech ~]# mysql -uwj -pwj1234
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'wj'@'localhost' (using password: YES)

带ssl登录正常
[root@sztech ssl]#  mysql -uwj -pwj1234 --ssl_ca=/etc/mysql/ssl/my-cert.pem -h192.168.110.129
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.4.2 MySQL Community Server - GPL
Copyright (c) 2000, 2024, Oracle and/or its affiliates.


Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql> status
--------------
mysql  Ver 8.4.2 for Linux on x86_64 (MySQL Community Server - GPL)


Connection id:          11
Current database:
Current user:           wj@sztech
SSL:                    Cipher in use is TLS_AES_128_GCM_SHA256
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         8.4.2 MySQL Community Server - GPL
Protocol version:       10
Connection:             192.168.110.129 via TCP/IP
Server characterset:    utf8mb3
Db     characterset:    utf8mb3
Client characterset:    utf8mb4
Conn.  characterset:    utf8mb4
TCP port:               3306
Binary data as:         Hexadecimal
Uptime:                 7 min 14 sec


Threads: 3  Questions: 21  Slow queries: 0  Opens: 119  Flush tables: 3  Open tables: 38  Queries per second avg: 0.048
--------------


mysql>


mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| Ssl_cipher    | TLS_AES_128_GCM_SHA256 |
+---------------+------------------------+
1 row in set (0.00 sec)