OpenSSL 可以用於調試與 MySQL 伺服器的 SSL 連接嗎?
我希望我的網路伺服器通過 SSL 連接與 MySQL 數據庫伺服器通信。網路伺服器執行 CentOS5,數據庫伺服器執行 FreeBSD。證書由中間 CA DigiCert 提供。
MySQL 應該使用 ssl,根據
my.cnf:# The MySQL server [mysqld] port = 3306 socket = /tmp/mysql.sock ssl ssl-capath = /opt/mysql/pki/CA ssl-cert = /opt/mysql/pki/server-cert.pem ssl-key = /opt/mysql/pki/server-key.pem當我啟動 MySQL 時,守護程序啟動時沒有錯誤。這表明證書文件都是可讀的。
但是當我嘗試從網路伺服器連接到數據庫伺服器時,我得到一個錯誤:
[root@webserver ~]# mysql -h mysql.example.org -u user -p ERROR 2026 (HY000): SSL connection error如果我嘗試使用 openssl 進一步調試:
[root@webserver ~]# openssl s_client -connect mysql.example.org:3306 0>/dev/null CONNECTED(00000003) 15706:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:這是測試與 MySQL 數據庫伺服器的 SSL 連接的有效方法嗎?該
SSL23_GET_SERVER_HELLO:unknown protocol消息很奇怪,因為這通常是您在用於非 SSL 流量的埠上使用 SSL 時所看到的。同樣的 openssl 命令似乎適用於 LDAP 和 HTTP 伺服器:
$ openssl s_client -connect ldap.example.org:636 0>/dev/null CONNECTED(00000003) depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority ... $ openssl s_client -connect www.example.org:443 0>/dev/null CONNECTED(00000003) depth=0 /DC=org/DC=example/OU=Services/CN=www.example.org
OpenSSL 版本 1.1.1(2018 年 9 月 11 日發布)添加了對
-starttls mysql送出a2d9cfbac5d87b03496d62079aef01c601193b58的支持。不幸的是,我在 OpenSSL 更改日誌中找不到對這個新功能的引用。如果您的發行版還沒有這個版本,那麼在https://testssl.sh/openssl-1.0.2k-dev-chacha.pm.ipv6.Linux+FreeBSD.tar.gz有一個靜態編譯的 openssl 二進製文件,它確實支持
-starttls mysql. 我在http://www.danneman.org/presentations/Automation_TLS_Configuration_Verification.pdf中找到了對它的引用。對於 Windows,可以在https://wiki.openssl.org/index.php/Binaries找到 OpenSSL 1.1.1 二進製文件
我按照https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html中的描述生成了 SSL 證書,嘗試過,它可以工作:
$ echo | bin/openssl.Linux.x86_64.static s_client -starttls mysql -connect spx-bionic.censored.com:3306 -CAfile /tmp/ca.pem CONNECTED(00000003) depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = mysql test CA verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = spx-bionic.censored.com verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=spx-bionic.censored.com i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mysql test CA 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mysql test CA i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mysql test CA --- Server certificate -----BEGIN CERTIFICATE----- CENSORED -----END CERTIFICATE----- subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=spx-bionic.censored.com issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mysql test CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-521, 521 bits --- SSL handshake has read 2599 bytes and written 632 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: AD25B7C3018E4715F262188D982AAE141A232712316E0A3292B0C14178E0F505 Session-ID-ctx: Master-Key: C121967E8FAEC4D0E0157419000660434D415251B0281CCBFC6D7A2AE8B0CC63AEFE22B332E91D31424C1BF03E5AF319 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 82 db 03 0f c0 ce f2 26-62 bd 1b 18 71 03 88 db .......&b...q... 0010 - a6 66 7c 71 94 0c d5 ec-96 30 46 53 4a e6 cd 76 .f|q.....0FSJ..v 0020 - 66 b3 22 86 7d 9f 7e 2c-14 1d 66 f2 46 8f d2 d3 f.".}.~,..f.F... 0030 - f7 0a 0b f5 9e 05 97 e1-2b b3 ba 79 78 16 b8 59 ........+..yx..Y 0040 - dc c5 0d a8 de 0b 3a df-4b ec f9 73 3f 4c c3 f1 ......:.K..s?L.. 0050 - 86 b6 f7 aa a7 92 84 77-9f 09 b2 cc 5d dd 35 41 .......w....].5A 0060 - 23 5d 77 74 e1 96 91 ac-28 81 aa 83 fe fc d2 3c #]wt....(......< 0070 - f9 23 09 6d 00 e0 da ef-48 69 92 48 54 61 69 e8 .#.m....Hi.HTai. 0080 - 30 0e 1f 49 7d 08 63 9e-91 70 fc 00 9f cd fe 51 0..I}.c..p.....Q 0090 - 66 33 61 24 42 8f c2 16-57 54 48 ec 6a 87 dc 50 f3a$B...WTH.j..P Start Time: 1537350458 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONEOpenSSL 1.1.1也
-starttls支持 postgres 和 ldap。有關完整列表,請參閱https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/apps/s_client.c#L815-L831。