[英]rails mysql2: how to verify mysql server's SSL certificate?
I'm trying to connect remotely to a mysql db over SSL, with the server's certificate verified to match the DNS domain used to connect to the server. 我试图通过SSL远程连接到mysql db,并验证服务器的证书以匹配用于连接到服务器的DNS域。
Using the command-line mysql
tool, I can make such a connection using mysql --ssl-ca=/path/to/cacert.pem --ssl-verify-server-cert
. 使用命令行
mysql
工具,我可以使用mysql --ssl-ca=/path/to/cacert.pem --ssl-verify-server-cert
。
Using rails mysql2, I set sslca:
¹, which causes a not-fully-verified SSL connection like mysql --ssl-ca=
does. 使用rails mysql2,我设置了
sslca:
¹,这会导致未经过完全验证的SSL连接,如mysql --ssl-ca=
那样。 How do I do the equivalent of --ssl-verify-server-cert
so that the connection fails if the server cert's domain is wrong? 我如何做
--ssl-verify-server-cert
的等效项,以便在服务器证书的域错误的情况下连接失败?
I've tried adding the following which had no effect on this issue: flags: SSL_VERIFY_SERVER_CERT
, flags: CLIENT_SSL_VERIFY_SERVER_CERT
, flags: 1073741824
, and secure_auth: true
. 我尝试添加对此问题没有影响的以下内容:
flags: SSL_VERIFY_SERVER_CERT
, flags: CLIENT_SSL_VERIFY_SERVER_CERT
, flags: 1073741824
和secure_auth: true
。
¹ either sslca: /path/to/cacert.pem
in config/database.yml, or ?sslca=/path/to/cacert.pem
in a mysql2://
URL ¹要么是
sslca: /path/to/cacert.pem
?sslca=/path/to/cacert.pem
中的sslca: /path/to/cacert.pem
,要么是mysql2://
URL中的?sslca=/path/to/cacert.pem
使用mysql2>=0.4.0
,可以在适配器配置中设置sslverify: true
和sslca: path/to/cert_chain.pem
,以使客户端验证服务器身份。
This is not one of the default connection flags in the Mysql2 gem, but the constant is available and can be bitwise OR-ed into the connection flags field before making a connection. 这不是Mysql2 gem中的默认连接标志之一,但是该常数可用,并且可以在建立连接之前按位或到连接标志字段中。
You can set the global default like this: 您可以这样设置全局默认值:
Mysql2::Client::default_query_options[:connect_flags] |=
Mysql2::Client::SSL_VERIFY_SERVER_CERT
Or set the flags per connection: 或为每个连接设置标志:
client = Mysql2::Client.new(
:connect_flags => (Mysql2::Client::default_query_options[:connect_flags]
| Mysql2::Client::SSL_VERIFY_SERVER_CERT)
)
Hope that helps! 希望有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.