MySQL 5.7 SSL configuration and enable

Posted by matty on Mon, 04 May 2020 06:00:33 +0200

1, Start SSL on installation

[root@linux-node local]# /usr/local/mysql5.7/bin/mysqld --initialize --basedir=/usr/local/mysql5.7 --datadir=/usr/local/mysql5.7/data/ --user=mysql
[root@linux-node local]# /usr/local/mysql5.7/bin/mysql_ssl_rsa_setup 

After running this command, the following pem files will be generated in the data directory by default. These files are used to enable SSL function

[root@linux-node local]# ll /usr/local/mysql5.7/data/*.pem                             
-rw-------. 1 /usr/local/mysql5.7/data/ca-key.pem        #CA private key
-rw-r--r--. 1 /usr/local/mysql5.7/data/ca.pem            #Self signed CA certificate, client connection also needs to provide    
-rw-r--r--. 1 /usr/local/mysql5.7/data/client-cert.pem   #Certificate file required for client to connect to server
-rw-------. 1 /usr/local/mysql5.7/data/client-key.pem    #The private key file that the client needs to provide to connect to the server
-rw-------. 1 /usr/local/mysql5.7/data/private_key.pem   #Private member of private / public key pair
-rw-r--r--. 1 /usr/local/mysql5.7/data/public_key.pem    #Shared member of private / public key pair
-rw-r--r--. 1 /usr/local/mysql5.7/data/server-cert.pem   #Server certificate file
-rw-------. 1 /usr/local/mysql5.7/data/server-key.pem    #Server side private key file

2, Enter the database to view
1. View variable values

mysql> show global variables like '%ssl%';

2. View the connection mode of test user


3. If the user uses local localhost or sock to connect to the database, SSL will not be used

3, If MySQL? SSL? RSA? Setup is not run when MySQL 5.7 is installed, how to enable SSL

1. Shut down MySQL service
 2. Run MySQL? SSL? RSA? Setup command
 3. The permission user to modify the. pem file in the data dir directory is mysql chown -R mysql.mysql *.pem
 4. Start MySQL service

4, Force a user to connect to the database using SSL

#Change already exists for user
mysql> alter mysql.user test@'%' require ssl;

#New must use ssl user
mysql> grant all on *.* to 'slave'@'' identified by 'ASDF123asdf' require ssl;
mysql> flush privileges;

For users who force SSL connection, if they do not use SSL connection, an error will be reported

[root@linux-node ~]# mysql -uslave  -pASDF123asdf -h --ssl=0   #Do not enable ssl connection
[root@linux-node ~]# mysql -uslave  -pASDF123asdf -h [--ssl=1]   #Enable ssl connection

Topics: SSL MySQL Linux Database