SSL是什么?如何使用
发布网友
发布时间:2022-04-24 13:17
共3个回答
懂视网
时间:2022-04-13 06:32
MySQL 5.7--------SSL连接最佳实战
1. 背景
* 在生产环境下,安全总是无法忽视的问题,数据库安全则是重中之重,因为所有的数据都存放在数据库中
* 当使用非加密方式连接MySQL数据库时,在网络中传输的所有信息都是明文的,可以被网络中所有人截取,敏感信息可能被泄露。在传送敏感信息(如密码)时,可以采用SSL连接的方式。
* 版本小于5.7.6时按照 MySQL 5.6 SSL配置的方式进行。
2. MySQL 连接方式
* socket连接
* TCP非SSL连接
* SSL安全连接
* SSL + 密码连接 [version > MySQL 5.7.5]
* SSL + 密码 + 密钥连接
3. SSL 简介
* SSL指的是SSL/TLS,其是一种为了在计算机网络进行安全通信的加密协议。假设用户的传输不是通过SSL的方式,那么其在网络中以明文的方式进行传输,而这给别有用心的人带来了可乘之机。所以,现在很多网站其实默认已经开启了SSL功能,比如、Twtter、、淘宝等。
4. 环境 [ 关闭SeLinux ]
* system 环境
[root@MySQL ~]# cat /etc/redhat-release CentOS release 6.9 (Final)[root@MySQL ~]# uname -r 2.6.32-696.3.2.el6.x86_ [root@MySQL ~]# getenforce Disabled* MySQL 环境 [ MySQL 5.7安装前面篇章已做详细介绍 ]
have_openssl 与 have_ssl 值都为DISABLED表示ssl未开启
[root@MySQL ~]# mysql -p'123'mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or g.Your MySQL connection id is 6Server version: 5.7.18 MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> select version();+-----------+| version() |+-----------+| 5.7.18 |+-----------+1 row in set (0.00 sec) mysql> show variables like 'have%ssl%';+---------------+----------+| Variable_name | Value |+---------------+----------+| have_openssl | DISABLED || have_ssl | DISABLED |+---------------+----------+2 rows in set (0.02 sec) mysql> show variables like 'port';+---------------+-------+| Variable_name | Value |+---------------+-------+| port | 3306 |+---------------+-------+1 row in set (0.01 sec) mysql> show variables like 'datadir';+---------------+-------------------+| Variable_name | Value |+---------------+-------------------+| datadir | /data/mysql_data/ |+---------------+-------------------+1 row in set (0.01 sec)5. SSL配置
* 利用自带工具生成SSL相关文件
[root@MySQL ~]# /usr/local/mysql/bin/mysql_ssl_rsa_setup --datadir=/data/mysql_dataGenerating a 2048 bit RSA private key..........................................................................+++.....+++writing new private key to 'ca-key.pem'-----Generating a 2048 bit RSA private key.......................................................................................................................................................................+++...+++writing new private key to 'server-key.pem'-----Generating a 2048 bit RSA private key.....................+++...........................................+++writing new private key to 'client-key.pem'----- * 查看生成的SSL文件[root@MySQL ~]# ls -l /data/mysql_data/*.pem-rw------- 1 root root 1679 Jun 24 20:54 /data/mysql_data/ca-key.pem-rw-r--r-- 1 root root 1074 Jun 24 20:54 /data/mysql_data/ca.pem-rw-r--r-- 1 root root 1078 Jun 24 20:54 /data/mysql_data/client-cert.pem-rw------- 1 root root 1675 Jun 24 20:54 /data/mysql_data/client-key.pem-rw------- 1 root root 1675 Jun 24 20:54 /data/mysql_data/private_key.pem-rw-r--r-- 1 root root 451 Jun 24 20:54 /data/mysql_data/public_key.pem-rw-r--r-- 1 root root 1078 Jun 24 20:54 /data/mysql_data/server-cert.pem-rw------- 1 root root 1675 Jun 24 20:54 /data/mysql_data/server-key.pem* 重启 MySQL 服务[root@MySQL ~]# /etc/init.d/mysqld restartShutting down MySQL.. SUCCESS! Starting MySQL. SUCCESS! * 连接MySQL 查看SSL开启状态have_openssl 与 have_ssl 值都为YES表示ssl开启成功
mysql> show variables like 'have%ssl%';+---------------+-------+| Variable_name | Value |+---------------+-------+| have_openssl | YES || have_ssl | YES |+---------------+-------+2 rows in set (0.03 sec)6. SSL + 密码连接测试
* 创建用户并指定 SSL 连接 [ MySQL 5.7后推荐使用create user 方式创建用户 ]
mysql> create user 'ssl_test'@'%' identified by '123' require SSL;Query OK, 0 rows affected (0.00 sec) * 通过密码连接测试 [ 默认采用SSL连接,需要指定不使用SSL连接 ][root@MySQL ~]# mysql -h 192.168.60.129 -ussl_test -p'123' --ssl=0mysql: [Warning] Using a password on the command line interface can be insecure.ERROR 1045 (28000): Access denied for user 'ssl_test'@'192.168.60.129' (using password: YES) * 通过 SSL + 密码 连接测试SSL: Cipher in use is DHE-RSA-AES256-SHA 表示通过SSL连接
[root@MySQL ~]# mysql -h 192.168.60.129 -ussl_test -p'123' --sslmysql: [Warning] Using a password on the command line interface can be insecure.WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.Welcome to the MySQL monitor. Commands end with ; or g.Your MySQL connection id is 12Server version: 5.7.18 MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> s--------------mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_) using EditLine wrapper Connection id: 12Current database: Current user: ssl_test@192.168.60.129SSL: Cipher in use is DHE-RSA-AES256-SHACurrent pager: stdoutUsing outfile: ''Using delimiter: ;Server version: 5.7.18 MySQL Community Server (GPL)Protocol version: 10Connection: 192.168.60.129 via TCP/IPServer characterset: latin1Db characterset: latin1Client characterset: utf8Conn. characterset: utf8TCP port: 3306Uptime: 7 min 34 sec Threads: 1 Questions: 29 Slow queries: 0 Opens: 112 Flush tables: 1 Open tables: 105 Queries per second avg: 0.063--------------
7. SSL + 密码 + 密钥连接
* 创建用户并指定 X509 [ SSL+密钥 ] 连接 [ MySQL 5.7后推荐使用create user 方式创建用户 ]
mysql> create user 'X509_test'@'%' identified by '123' require X509;Query OK, 0 rows affected (0.00 sec)* 通过密码连接测试[root@MySQL ~]# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl=0mysql: [Warning] Using a password on the command line interface can be insecure.ERROR 1045 (28000): Access denied for user 'X509_test'@'192.168.60.129' (using password: YES)* 通过 SSL +密码 连接测试[root@MySQL ~]# mysql -h 192.168.60.129 -uX509_test -p'123' --sslmysql: [Warning] Using a password on the command line interface can be insecure.ERROR 1045 (28000): Access denied for user 'X509_test'@'192.168.60.129' (using password: YES) * 通过 SSL + 密码+密钥连接测试SSL: Cipher in use is DHE-RSA-AES256-SHA 表示通过SSL连接
[root@MySQL ~]# mysql -h 192.168.60.129 -uX509_test -p'123' --ssl-cert=/data/mysql_data/client-cert.pem --ssl-key=/data/mysql_data/client-key.pem mysql: [Warning] Using a password on the command line interface can be insecure.Welcome to the MySQL monitor. Commands end with ; or g.Your MySQL connection id is 21Server version: 5.7.18 MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. mysql> s--------------mysql Ver 14.14 Distrib 5.7.18, for linux-glibc2.5 (x86_) using EditLine wrapper Connection id: 21Current database: Current user: X509_test@192.168.60.129SSL: Cipher in use is DHE-RSA-AES256-SHACurrent pager: stdoutUsing outfile: ''Using delimiter: ;Server version: 5.7.18 MySQL Community Server (GPL)Protocol version: 10Connection: 192.168.60.129 via TCP/IPServer characterset: latin1Db characterset: latin1Client characterset: utf8Conn. characterset: utf8TCP port: 3306Uptime: 18 min 27 sec Threads: 1 Questions: 40 Slow queries: 0 Opens: 118 Flush tables: 1 Open tables: 111 Queries per second avg: 0.036--------------
热心网友
时间:2022-04-13 03:40
SSL(Secure Sockets Layer 安全套接层),及其继任者 传输层安全(Transport Layer Security,TLS)是为 网络通信提供安全及 数据完整性的一种安全协议。TLS与SSL在 传输层对网络连接进行加密。
提供服务
1)认证用户和服务器,确保数据发送到正确的 客户机和 服务器;
2)加密数据以防止数据中途被窃取;
3)维护数据的完整性,确保数据在传输过程中不被改变。
在设置邮箱或服务器时使用SSL协议,这样会保障邮箱及服务器更安全的使用。
使用方法:当选择了使用SSL协议时,请同时修改各收/发件服务器端口号。
热心网友
时间:2022-04-13 04:58
PHPWAMP集成环境安装SSL是最简单的了,百度搜“PHPWAMP”下载,然后百度搜索“phpwamp安装ssl”查看安装教程,就可以搞定
