我的Localhost在Win64上运行Mariadb 10.6.7。
我试图在连接MariadB时强制SSL。
我使用MySQL Workbench 8.0测试连接。
要启用SSL,我做了以下操作:
- 我生成自签名的证书,然后在我的ini中,设置以下内容:
[mysqld]
datadir=C:/xampp/MariaDB 10.6/data
port=3306
innodb_buffer_pool_size=1009M
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/server-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/server-key.pem
[client]
port=3306
plugin-dir=C:/Program Files/MariaDB 10.6/lib/plugin
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/client-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/client-key.pem
- 为了强制SSL,我将用户设置为Mariadb中的用户需要SSL。
不幸的是,通过这种配置,I 仍然可以使用任何证书连接到MySQL ,而无需使用任何证书。我如何强迫Mariadb强迫SSL或失败?
我的第二个问题是,我怀疑我的配置实际上是用于使用require x509的设置。是这样吗?如果是,我该如何将其设置为仅使用SSL?
最后,将证书设置在my.ini中,防止我通过常规方式连接到mySQL,即:mysql -u root。我收到以下错误:
ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing
the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN).
我尝试使用以下命令,mySQL -ssl-ca = [目录] \ client-cert.pem -u root,没有成功。我的错误与上面相同。有什么想法吗?
如果您有参考页或任何类型的见解,这将不胜感激。
谢谢。
My localhost is running MariaDB 10.6.7 on Win64.
I am trying to force SSL when connecting to MariaDB.
I test the connection using MySQL Workbench 8.0.
To enable the SSL, I did the following:
- I generate self signed certificate, then in my.ini, I set the following:
[mysqld]
datadir=C:/xampp/MariaDB 10.6/data
port=3306
innodb_buffer_pool_size=1009M
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/server-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/server-key.pem
[client]
port=3306
plugin-dir=C:/Program Files/MariaDB 10.6/lib/plugin
ssl-ca=C:/xampp/xampp/certs/mysql/ca-cert.pem
ssl-cert=C:/xampp/xampp/certs/mysql/client-cert.pem
ssl-key=C:/xampp/xampp/certs/mysql/client-key.pem
- To force SSL, I set the user in MariaDB to require SSL.
Unfortunately, with this configuration, I can still connect to MySQL without using any certificate. How can I force MariaDB to force SSL or FAIL?
My second question, I have a suspicion that my configuration is actually for setting using Require X509. Is this the case? If yes, how can I set it up to just use Require SSL?
Last, having the certificate set in my.ini, prevent me from connecting to mysql via the regular way, that is: mysql -u root. I got the following error:
ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing
the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN).
I have tried to use the following command, mysql --ssl-ca=[directory]\client-cert.pem -u root, without success. I got the same error as above. Any idea?
If you have a reference page or any kind of insight, that would be appreciated.
Thanks.
发布评论
评论(3)
创建用户时,您需要添加需要参数,该参数可以是X509或SSL。
以
“ root” requient x509确定的创建用户itpuxs2@'%''
创建用“ root” requient SSL确定的用户ITPUXS3@'%'''';
When creating a user, you need to add the require parameter, which can be x509 or ssl.
take for example
create user itpuxs2@'%' identified by 'root' require x509;
create user itpuxs3@'%' identified by 'root' require ssl;
从我在Win64中的测试中,“需要SSL”不需要[客户端]下的SSL-CA,SSL-CERT,SSL-KEY。这种设置也是我无法使用“ mysql -u root”登录的原因。
我使用MySQL Workbench测试与Mariadb的连接。从我的测试中,即使我没有提供任何证书,只要服务器具有SSL证书,该连接将被加密(需要SSL)。话虽如此,我确实试图提供一个ca-cert.pem,但它行不通。根据我在Google的研究,似乎这可能是由于Mariadb中使用的SSL库。对于不同的分布,SSL库可能有所不同。
至于X509,我能够在Linux中使用它。我做过一次,并且没有进行进一步的测试,因为我目前正在Windows工作。
From my test in Win64, the ssl-ca, ssl-cert, ssl-key under [client] is not required for "Require SSL". This settings were also the reason why I could not login using "mysql -u root".
I use MySQL Workbench to test my connection to MariaDB. From my testing, even though I did not provide any certificate, as long as the server have certificate for SSL, then the connection would be encrypted (Require SSL). Having said that, I did try to provide a ca-cert.pem, but it did not work. From my research in google, it seems that this may due to the SSL Library used in MariaDB. The SSL library may be different for different distribution.
As for the X509, I was able to get it working in Linux. I did this once and was not doing further testing since I am working in windows at the moment.
为了要求“登录应需要有效的客户端证书对,否则连接应失败”,您应该使用“ requient x509”而不是“ require SSL”创建MariaDB用户。
要求SSL 表示单向TLS身份验证:MariaDB客户端必须验证服务器的证书是否由IT信任的证书授权签署。不需要客户证书。所有流量都是完全加密的。
需要X509 表示双向TLS(相互身份验证):除上述内容外,Mariadb Server还必须信任签署客户证书的证书授权。
两种方法都完全加密数据库流量。第二种策略阻止了拥有密码但没有信任证书的人连接的连接。
参考
For the requirement "login should require a valid client certificate pair, or else the connection should fail", you should create a MariaDB user using "REQUIRE X509" rather than "REQUIRE SSL".
REQUIRE SSL means one-way TLS authentication: the MariaDB client must verify that the server's certificate is signed by a certificate authority it trusts. No client certificate is required. All traffic is fully encrypted.
REQUIRE X509 means two-way TLS (mutual authentication): in addition to the above, the MariaDB server must also trust the certificate authority that signed the client's certificate.
Both methods fully encrypt database traffic. The second strategy prevents a connection from someone who has the password but not a trusted certificate from connecting.
Refer to
https://mariadb.com/kb/en/securing-connections-for-client-and-server/#requiring-tls-for-specific-user-accounts