$ su
1. 查看有没有 OpenSSL
$ openssl version
2. 查看 MySQL 是否支持 SSL
$ systemctl restart mysql
$ mysql -u root -p
> SHOW VARIABLES LIKE '%ssl%';
> quit
have_openssl DISABLED
have_ssl DISABLED
3. 准备 SSL 证书
http://jasonmun.blogspot.my/2017/02/openssl-ca-ssl.html
4. 设置
$ systemctl stop mysql
$ gedit /etc/my.cnf
[client-server]
!includedir /etc/my.cnf.d
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
ssl-ca=/etc/pki/ca.pem
ssl-cert=/etc/pki/server-cert.pem
ssl-key=/etc/pki/server-key.pem
log-error=/var/log/mysqld.log
bind-address = *
5. 创建能用 SSL 的 MySQL 户口
$ systemctl start mysql
$ mysql -u root -p
撤除之前的户口
> DROP USER 'ssl_user'@'%';
重新创建户口
> GRANT ALL PRIVILEGES ON *.* TO 'ssl_user'@'localhost' IDENTIFIED BY '123' REQUIRE SSL;
> FLUSH PRIVILEGES;
> quit
6. 在客户端用 SSL 连接 MySQL
$ mysql --ssl-ca=/etc/pki/ca.pem --ssl-cert=/etc/pki/client-cert.pem --ssl-key=/etc/pki/client-key.pem -h member.dlinkddns.com -u ssl_user -p
> status
7. 其它
可以创建 my.cnf 在自己的 home 中
$ gedit ~/my.cnf
[client]
ssl-ca=/etc/pki/ca.pem
ssl-cert=/etc/pki/client-cert.pem
ssl-key=/etc/pki/client-key.pem
没有评论:
发表评论