堆栈内存溢出
  简体   繁体   English

我可以使用 openssl s_client 来检索 MySQL 的 CA 证书吗?

[英]Can I use openssl s_client to retrieve the CA certificate for MySQL?

 原文  2016-03-04 20:30:49       mysql/ macos/ ssl/ openssl

问题描述

Can I use openssl s_client to retrieve the CA certificate for MySQL?我可以使用openssl s_client来检索 MySQL 的 CA 证书吗?

I have access to the remote database server using the following我可以使用以下命令访问远程数据库服务器

mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase

Now I want to do to connect to it using JDBC.现在我想使用 JDBC 连接到它。

I realize that I need to insert the public certificate into my Java key store .我意识到我需要将公共证书插入我的 Java 密钥库 However, I cannot figure out how to retrieve the public certificate.但是,我不知道如何检索公共证书。 I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place.我意识到它位于/etc/mysql/ca.pem或类似位置的远程服务器上。 But, I don't have permission to read that file or even ssh into the machine.但是,我无权将该文件甚至ssh读入机器。

I've tried我试过了

openssl s_client -cipher DHE-RSA-AES256-SHA  -connect thehost:3306

and some variations.和一些变化。 I always get errors.我总是出错。 For example例如

CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:

2 个解决方案

解决方案1
 0 已采纳  2016-03-05 03:54:25

Can I use openssl s_client to retrieve the CA certificate for MySQL? 我可以使用openssl s_client检索MySQL的CA证书吗?

You probably can't. 你可能做不到。

A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. 配置正确的服务器将发送服务器证书和构建到根CA的路径所需的所有中间证书。 You have to have the root CA certificate already. 您必须已经具有根CA证书。

For example: 例如: 

$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...

The server sent the server's certificate. 服务器发送了服务器的证书。 Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications . 上面显示为0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications S means its the Subject, while I means its the issuer. S表示其主题,而I表示其发行者。

The server sent two intermediate certificates at 1 and 2 . 服务器在12发送了两个中间证书。 However, we need to have the Issuer of certificate 2 locally to build the path for validation. 但是,我们需要在本地拥有证书2的颁发者才能构建验证路径。 The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root" . 证书2的颁发者的通用名称为 “ AddTrust External CA Root”

"AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root 可以从Comodo的站点[Root]上下载“ AddTrust外部CA Root”。

It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. 如果服务器发送了根CA,那么一个坏人可能会篡改该链,而客户端则不会更明智。 They could swap-in their own CA and use an evil chain. 他们可以交换自己的CA并使用邪恶链。

We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile : 我们可以通过获取根CA,然后使用-CAfile来清除verify error:num=20:unable to get local issuer certificate 

$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
  -CAfile addtrustexternalcaroot.pem

It will result in a Verify Ok (0) . 这将导致Verify Ok (0)

解决方案2
 0  2022-12-13 01:58:09

Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.是的,OpenSSL 版本 1.1.1(2018 年 9 月 11 日发布)现在支持从 MySQL 服务器获取服务器证书。

openssl s_client -starttls mysql -connect thehost:3306

Source: answer by Paul Tobias资料来源: Paul Tobias 的回答

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 由于证书错误,无法为 fabric-ca 服务器设置 mysql 数据库 - Can't setup mysql database for fabric-ca server due to certificate error 我无法使用PHP,MySQL将消息发送给我的客户端 - I can't send the message to my client in use PHP、MySQL 如何使用smack客户端ejabberd从mysql数据库检索聊天历史记录 - How can i retrieve chat history from mysql db using smack client ejabberd MySQL使用openSSL /企业加密 - MySQL use openSSL / Enterprise Encryption 我可以安全地使用MySQL-5.1客户端库连接到MySQL-5.0服务器吗? - Can I safely use MySQL-5.1 client libs to connect to MySQL-5.0 servers? 如何使用 mysql 作为 jupyterhub 的数据库? - How can I use mysql as jupyterhub's database? 如何在我的 android 应用程序中使用全局变量从 mysql 检索用户的登录 ID? - how can I retrieve user's login id from mysql using global variable in my android app? 我可以在Vim中使用MySQL的完成哈希值吗? - Can I make use of MySQL's completion hash in Vim? 我可以在更新中使用mysql的md5函数吗? - Can I use mysql's md5 function in an update? 我可以在MYSQL查询中使用字符串'$ _POST(s)吗? - Can I use a string of '$_POST(s)' in a MYSQL Query?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM