2.34.2 DBLE启用SSL

服务端(DBLE)

配置boostrap.cnf(需填写绝对路径)

-DsupportSSL=true
-DserverCertificateKeyStoreUrl=${服务端数字证书和私钥的JKS密钥库}
-DserverCertificateKeyStorePwd=${对应密钥库的密码}
-DtrustCertificateKeyStoreUrl=${自签名CA证书的JKS密钥库}
-DtrustCertificateKeyStorePwd=${对应密钥库的密码}

检查是否配置成功(管理端9066中查看)

mysql> select * from dble_variables where comment like '%SSL%';
+------------------------------+---------------------------------------------------------------+-----------------------------------------------------------+-----------+
| variable_name                | variable_value                                                | comment                                                   | read_only |
+------------------------------+---------------------------------------------------------------+-----------------------------------------------------------+-----------+
| isSupportSSL                 | true                                                          | Whether support for SSL to establish frontend connections | true      |
| serverCertificateKeyStoreUrl | ${服务端数字证书和私钥的JKS密钥库}                               | Service certificate required for SSL                      | true      |
| trustCertificateKeyStoreUrl  | ${自签名CA证书的JKS密钥库}                                      | Trust certificate required for SSL                        | true      |
+------------------------------+---------------------------------------------------------------+-----------------------------------------------------------+-----------+
3 rows in set (0.07 sec)

注意: 如果isSupportSSL为false,表示不支持ssl协议;根据dble.log启动日志中找到ssl初始失败的原因,比如,可能是密钥库的路径配置不对等。

客户端

建立连接的SSL模式

参照MySQL中的SSL配置,DBLE也为客户端提供了以下几种模式:

  • ssl-mode=DISABLED

    描述:Client端使用未加密的连接

    client:mysql -u*** -p*** --ssl-mode=DISABLED

    jdbc:jdbc:mysql://localhost:8066/testdb?useSSL=false

  • ssl-mode=PREFFERED

    描述:默认行为,client端尝试使用加密进行连接,如果无法构建加密连接,则会退回到未加密的连接

    client:mysql -u*** -p*** --ssl-mode=PREFFERED

    jdbc:jdbc:mysql://localhost:8066/testdb?requireSSL=false&useSSL=true&verifyServerCertificate=false

  • ssl-mode=REQUIRED

    描述:Client端需要加密连接,如果无法构建连接,则Client端将报错

    client:mysql -u*** -p*** --ssl-mode=REQUIRED

    jdbc:jdbc:mysql://localhost:8066/testdb?requireSSL=true&useSSL=true&verifyServerCertificate=false

  • ssl-mode=VERIFY_CA

    • 单向认证

      描述:Client端需要加密连接,并且客户端会根据配置的ca证书对服务端证书进行验证

      client:mysql -u*** -p*** --ssl-mode=VERIFY_CA --ssl-ca='${自签名CA证书}'

      jdbc:

        jdbc:mysql://localhost:8066/testdb?
      requireSSL=true
      &useSSL=true
      &verifyServerCertificate=true
      &trustCertificateKeyStoreUrl=file:${自签名CA证书的JKS密钥库}
      &trustCertificateKeyStorePassword=${自签名CA证书的JKS密钥库的密码}
      
    • 双向认证

      描述:Client端需要加密连接,客户端会根据配置的ca证书对服务端证书进行验证,同时服务端也会验证客户端证书的有效性

      client:mysql -u*** -p*** --ssl-mode=VERIFY_CA --ssl-ca='${自签名CA证书}' --ssl-cert='${客户端数字证书}' --ssl-key='${客户端私钥}'

      jdbc:

        jdbc:mysql://localhost:8066/testdb?
      requireSSL=true
      &useSSL=true
      &verifyServerCertificate=true
      &trustCertificateKeyStoreUrl=file:${自签名CA证书的JKS密钥库}
      &trustCertificateKeyStorePassword=${自签名CA证书的JKS密钥库的密码}
      &clientCertificateKeyStoreUrl=file:${客户端数字证书和私钥的JKS密钥库}
      &clientCertificateKeyStorePassword=file:${客户端数字证书和私钥的JKS密钥库}
      
  • ssl-mode=VERIFY_IDENTITY(不适用)

    描述:基于VERIFY_CA模式,追加了证书中服务器的主机验证;上面自签名证书不适用此模式

验证连接是否加密

  • MYSQL CLIENT中,查看当前连接的状态(管理端连接暂时不支持此命令)

    mysql> \s
    ...
    SSL:            Cipher in use is DHE-RSA-AES256-SHA  # 表示当前连接采用SSL方式连接
    ...
    
  • DBLE日志

    • 以下包含ssl=OpenSSL,说明采用的OpenSSL
      2022-05-26 11:27:55,557 [INFO ][BusinessExecutor4] FrontendConnection[id = 3 port = 8066 host = 127.0.0.1 local_port = 57752 isManager = false startupTime = 1653535675511 skipCheck = false isFlowControl = false onlyTcpConnect = false ssl = OpenSSL] SSL handshake complete  (SSLHandler.java:248)
      
    • 以下包含ssl=no,说明没采用加密传输
      2022-05-26 11:32:37,908 [INFO ][BusinessExecutor2] connection id close for reason [quit cmd] with connection FrontendConnection[id = 4 port = 8066 host = 192.168.0.109 local_port = 58114 isManager = false startupTime = 1653535957751 skipCheck = false isFlowControl = false onlyTcpConnect = false ssl = no]  (AbstractConnection.java:154)
      

results matching ""

    No results matching ""