2.34.2 DBLE启用SSL
服务端(DBLE)
配置boostrap.cnf(需填写绝对路径)
-DsupportSSL=true
-DserverCertificateKeyStoreUrl=${服务端数字证书和私钥的JKS密钥库}
-DserverCertificateKeyStorePwd=${对应密钥库的密码}
-DtrustCertificateKeyStoreUrl=${自签名CA证书的JKS密钥库}
-DtrustCertificateKeyStorePwd=${对应密钥库的密码}
检查是否配置成功(管理端9066中查看)
mysql> select * from dble_variables where comment like '%SSL%';
+------------------------------+---------------------------------------------------------------+-----------------------------------------------------------+-----------+
| variable_name | variable_value | comment | read_only |
+------------------------------+---------------------------------------------------------------+-----------------------------------------------------------+-----------+
| isSupportSSL | true | Whether support for SSL to establish frontend connections | true |
| serverCertificateKeyStoreUrl | ${服务端数字证书和私钥的JKS密钥库} | Service certificate required for SSL | true |
| trustCertificateKeyStoreUrl | ${自签名CA证书的JKS密钥库} | Trust certificate required for SSL | true |
+------------------------------+---------------------------------------------------------------+-----------------------------------------------------------+-----------+
3 rows in set (0.07 sec)
注意: 如果isSupportSSL为false,表示不支持ssl协议;根据dble.log启动日志中找到ssl初始失败的原因,比如,可能是密钥库的路径配置不对等。
客户端
建立连接的SSL模式
参照MySQL中的SSL配置,DBLE也为客户端提供了以下几种模式:
ssl-mode=DISABLED
描述:Client端使用未加密的连接
client:
mysql -u*** -p*** --ssl-mode=DISABLEDjdbc:
jdbc:mysql://localhost:8066/testdb?useSSL=falsessl-mode=PREFFERED
描述:默认行为,client端尝试使用加密进行连接,如果无法构建加密连接,则会退回到未加密的连接
client:
mysql -u*** -p*** --ssl-mode=PREFFEREDjdbc:
jdbc:mysql://localhost:8066/testdb?requireSSL=false&useSSL=true&verifyServerCertificate=falsessl-mode=REQUIRED
描述:Client端需要加密连接,如果无法构建连接,则Client端将报错
client:
mysql -u*** -p*** --ssl-mode=REQUIREDjdbc:
jdbc:mysql://localhost:8066/testdb?requireSSL=true&useSSL=true&verifyServerCertificate=falsessl-mode=VERIFY_CA
单向认证
描述:Client端需要加密连接,并且客户端会根据配置的ca证书对服务端证书进行验证
client:
mysql -u*** -p*** --ssl-mode=VERIFY_CA --ssl-ca='${自签名CA证书}'jdbc:
jdbc:mysql://localhost:8066/testdb? requireSSL=true &useSSL=true &verifyServerCertificate=true &trustCertificateKeyStoreUrl=file:${自签名CA证书的JKS密钥库} &trustCertificateKeyStorePassword=${自签名CA证书的JKS密钥库的密码}双向认证
描述:Client端需要加密连接,客户端会根据配置的ca证书对服务端证书进行验证,同时服务端也会验证客户端证书的有效性
client:
mysql -u*** -p*** --ssl-mode=VERIFY_CA --ssl-ca='${自签名CA证书}' --ssl-cert='${客户端数字证书}' --ssl-key='${客户端私钥}'jdbc:
jdbc:mysql://localhost:8066/testdb? requireSSL=true &useSSL=true &verifyServerCertificate=true &trustCertificateKeyStoreUrl=file:${自签名CA证书的JKS密钥库} &trustCertificateKeyStorePassword=${自签名CA证书的JKS密钥库的密码} &clientCertificateKeyStoreUrl=file:${客户端数字证书和私钥的JKS密钥库} &clientCertificateKeyStorePassword=file:${客户端数字证书和私钥的JKS密钥库}
ssl-mode=VERIFY_IDENTITY(不适用)
描述:基于VERIFY_CA模式,追加了证书中服务器的主机验证;上面自签名证书不适用此模式
验证连接是否加密
MYSQL CLIENT中,查看当前连接的状态(管理端连接暂时不支持此命令)
mysql> \s ... SSL: Cipher in use is DHE-RSA-AES256-SHA # 表示当前连接采用SSL方式连接 ...DBLE日志
- 以下包含ssl=OpenSSL,说明采用的OpenSSL
2022-05-26 11:27:55,557 [INFO ][BusinessExecutor4] FrontendConnection[id = 3 port = 8066 host = 127.0.0.1 local_port = 57752 isManager = false startupTime = 1653535675511 skipCheck = false isFlowControl = false onlyTcpConnect = false ssl = OpenSSL] SSL handshake complete (SSLHandler.java:248) - 以下包含ssl=no,说明没采用加密传输
2022-05-26 11:32:37,908 [INFO ][BusinessExecutor2] connection id close for reason [quit cmd] with connection FrontendConnection[id = 4 port = 8066 host = 192.168.0.109 local_port = 58114 isManager = false startupTime = 1653535957751 skipCheck = false isFlowControl = false onlyTcpConnect = false ssl = no] (AbstractConnection.java:154)
- 以下包含ssl=OpenSSL,说明采用的OpenSSL