[英]MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
我正在使用带有 SSL 的 MySQL 和 TLS1.2 密码 AES256-SHA256 / DHE-RSA-AES256-SHA256。 我已经用 openssl 编译了 MySQL。 我可以使用 TLS1.0 密码通过 SSL 连接到 MySQL。 但是当我尝试使用 TLS1.2 密码连接时,连接失败并显示错误。
MySQL server version :- 5.6.23-log Source distribution
Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014
Java version :- 1.8.0_40
使用 TLS1.2 密码连接抛出错误
> mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v
ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)
User time 0.00, System time 0.00
Maximum resident set size 2664, Integral resident set size 0
Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 2, Involuntary context switches 5
my.cnf 的片段
[client]
default-character-set=utf8
ssl=ON
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/client-cert.pem
ssl-key=/home/mysql-cert/client-key.pem
[mysql]
default-character-set=utf8
[mysqld]
general_log=1
ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256
ssl-cipher=AES256-SHA
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/server-cert.pem
ssl-key=/home/mysql-cert/server-key.pem
连接了 TLS1.0 密码的 MySQL 提示 snipeet
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper
Connection id: 6
Current database:
Current user: root@localhost
SSL: Cipher in use is AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.6.23-log Source distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /tmp/mysql.sock
Uptime: 1 hour 32 min 40 sec
Threads: 1 Questions: 11 Slow queries: 0 Opens: 67 Flush tables: 1
Open tables: 60 Queries per second avg: 0.001
--------------
mysql> SHOW STATUS LIKE 'ssl%';
+--------------------------------+--------------------------+
| Variable_name | Value |
+--------------------------------+--------------------------+
| Ssl_accept_renegotiates | 0 |
| Ssl_accepts | 6 |
| Ssl_callback_cache_hits | 0 |
| Ssl_cipher | AES256-SHA |
| Ssl_cipher_list | AES256-SHA |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_ctx_verify_depth | 18446744073709551615 |
| Ssl_ctx_verify_mode | 5 |
| Ssl_default_timeout | 7200 |
| Ssl_finished_accepts | 3 |
| Ssl_finished_connects | 0 |
| Ssl_server_not_after | Jan 23 10:29:20 2025 GMT |
| Ssl_server_not_before | Mar 17 10:29:20 2015 GMT |
| Ssl_session_cache_hits | 0 |
| Ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | SERVER |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 128 |
| Ssl_session_cache_timeouts | 0 |
| Ssl_sessions_reused | 0 |
| Ssl_used_session_cache_entries | 0 |
| Ssl_verify_depth | 18446744073709551615 |
| Ssl_verify_mode | 5 |
| Ssl_version | TLSv1 |
+--------------------------------+--------------------------+
25 rows in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /home/mysql-cert/ca.pem |
| ssl_capath | |
| ssl_cert | /home/mysql-cert/server-cert.pem |
| ssl_cipher | AES256-SHA |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /home/mysql-cert/server-key.pem |
+---------------+----------------------------------+
9 rows in set (0.00 sec)
MySQL编译为
> cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/
-DWITH_SSL=/opt/scr-openssl/ssl/
-DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/
-DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/
-DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS=1
>make
>make install
请帮我配置 MySQL 以使用 TLS1.2 密码。
MySQL v5.6.23 只能支持 TLS 1.0。 要获得对 TLS 1.2 的支持,您需要升级到更高的 MySQL 版本并确保客户端和服务器都已编译为使用 OpenSSL。
根据MySQL 文档,您可能可以使用 MySQL 5.6.46。
当使用 OpenSSL 1.0.1 或更高版本编译时,MySQL 支持 MySQL 5.6.46 及 5.6.46 之前的 TLS1v1 协议的 TLSv1、TLSv1.1 和 TLSv1.2 协议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.