MySQL - SSL - 使用 TLS1.2 密码 AES256-SHA256 / DHE-RSA-AES256-SHA256

Question

我正在使用带有 SSL 的 MySQL 和 TLS1.2 密码 AES256-SHA256 / DHE-RSA-AES256-SHA256。 我已经用 openssl 编译了 MySQL。 我可以使用 TLS1.0 密码通过 SSL 连接到 MySQL。 但是当我尝试使用 TLS1.2 密码连接时，连接失败并显示错误。

MySQL server version :- 5.6.23-log Source distribution
Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014
Java version :- 1.8.0_40

使用 TLS1.2 密码连接抛出错误

> mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v

ERROR 2026 (HY000): SSL connection error: 
error:00000001:lib(0):func(0):reason(1)

User time 0.00, System time 0.00
Maximum resident set size 2664, Integral resident set size 0
Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 2, Involuntary context switches 5

my.cnf 的片段

[client]
default-character-set=utf8
ssl=ON
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/client-cert.pem
ssl-key=/home/mysql-cert/client-key.pem

[mysql]
default-character-set=utf8

[mysqld]
general_log=1

ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256
ssl-cipher=AES256-SHA
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/server-cert.pem
ssl-key=/home/mysql-cert/server-key.pem

连接了 TLS1.0 密码的 MySQL 提示 snipeet

   mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper

Connection id:          6
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.6.23-log Source distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /tmp/mysql.sock
Uptime:                 1 hour 32 min 40 sec

Threads: 1  Questions: 11  Slow queries: 0  Opens: 67  Flush tables: 1  
Open tables: 60  Queries per second avg: 0.001
--------------

mysql> SHOW STATUS LIKE 'ssl%';
+--------------------------------+--------------------------+
| Variable_name                  | Value                    |
+--------------------------------+--------------------------+
| Ssl_accept_renegotiates        | 0                        |
| Ssl_accepts                    | 6                        |
| Ssl_callback_cache_hits        | 0                        |
| Ssl_cipher                     | AES256-SHA               |
| Ssl_cipher_list                | AES256-SHA               |
| Ssl_client_connects            | 0                        |
| Ssl_connect_renegotiates       | 0                        |
| Ssl_ctx_verify_depth           | 18446744073709551615     |
| Ssl_ctx_verify_mode            | 5                        |
| Ssl_default_timeout            | 7200                     |
| Ssl_finished_accepts           | 3                        |
| Ssl_finished_connects          | 0                        |
| Ssl_server_not_after           | Jan 23 10:29:20 2025 GMT |
| Ssl_server_not_before          | Mar 17 10:29:20 2015 GMT |
| Ssl_session_cache_hits         | 0                        |
| Ssl_session_cache_misses       | 0                        |
| Ssl_session_cache_mode         | SERVER                   |
| Ssl_session_cache_overflows    | 0                        |
| Ssl_session_cache_size         | 128                      |
| Ssl_session_cache_timeouts     | 0                        |
| Ssl_sessions_reused            | 0                        |
| Ssl_used_session_cache_entries | 0                        |
| Ssl_verify_depth               | 18446744073709551615     |
| Ssl_verify_mode                | 5                        |
| Ssl_version                    | TLSv1                    |
+--------------------------------+--------------------------+
25 rows in set (0.00 sec)

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value                            |
+---------------+----------------------------------+
| have_openssl  | YES                              |
| have_ssl      | YES                              |
| ssl_ca        | /home/mysql-cert/ca.pem          |
| ssl_capath    |                                  |
| ssl_cert      | /home/mysql-cert/server-cert.pem |
| ssl_cipher    | AES256-SHA                       |
| ssl_crl       |                                  |
| ssl_crlpath   |                                  |
| ssl_key       | /home/mysql-cert/server-key.pem  |
+---------------+----------------------------------+
9 rows in set (0.00 sec)

MySQL编译为

     > cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/ 
-DWITH_SSL=/opt/scr-openssl/ssl/ 
-DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/ 
-DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/ 
-DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS=1
 >make
 >make install

请帮我配置 MySQL 以使用 TLS1.2 密码。

Answer 1

MySQL v5.6.23 只能支持 TLS 1.0。 要获得对 TLS 1.2 的支持，您需要升级到更高的 MySQL 版本并确保客户端和服务器都已编译为使用 OpenSSL。

根据MySQL 文档，您可能可以使用 MySQL 5.6.46。

当使用 OpenSSL 1.0.1 或更高版本编译时，MySQL 支持 MySQL 5.6.46 及 5.6.46 之前的 TLS1v1 协议的 TLSv1、TLSv1.1 和 TLSv1.2 协议。