Mysql

當我使用 –ssl 啟動 mysqld 時,MariaDB 總是顯示 SSL 未使用

  • February 21, 2016
  • CentOS 7.2.1511
  • Linux 3.10.0-123.9.3.el7.x86_64
  • 瑪麗亞數據庫:10.1.11

/etc/my.cnf

#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

[mysqld]
ssl
ssl-ca       = /root/ca.pem
ssl-cert     = /root/server-cert.pem
ssl-key      = /root/server-key.pem 
bind-address = 0.0.0.0
port         = 3306
max_allowed_packet = 16M


[mysqldump]
max_allowed_packet = 16M

我用命令啟動了 mariadb:

systemctl start mysql

然後我用 root 登錄 mysqlstatus顯示 SSL Not in use。然後我輸入

show variables like '%ssl%';

我得到一張桌子:

+---------------------+---------------------------------+
| Variable_name       | Value                           |
+---------------------+---------------------------------+
| have_openssl        | YES                             |
| have_ssl            | DISABLED                        |
| ssl_ca              | /root/ca.pem                    |
| ssl_capath          |                                 |
| ssl_cert            | /root/server-cert.pem           |
| ssl_cipher          |                                 |
| ssl_crl             |                                 |
| ssl_crlpath         |                                 |
| ssl_key             | /root/server-key.pem            |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+---------------------------------+

最後我什至嘗試使用 ssl 登錄,但顯然失敗了。

更新

以下是錯誤日誌文件中的一些警告消息:

[Warning] Failed to setup SSL
[Warning] SSL error: SSL_CTX_set_default_verify_paths failed
[Warning] SSL error: error:0200100D:system library:fopen:Permission denied
[Warning] SSL error: error:2006D002:BIO_new_file:system lib
[warning] SSL error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

MariaDB 不允許訪問根目錄中的文件/root。因此,CA、證書和私鑰文件是不可讀的。

這些文件在 RHEL 上的標準位置位於/etc/pki:/etc/pki/CA和. 如果您將它們複製到此處,並設置適當的所有權和權限,以便 MariaDB 可以讀取它們,您會發現它可以工作。或者,您可以將證書和私鑰文件放在./etc/pki/tls/certs``/etc/pki/tls/private``/etc/mysql

引用自:https://serverfault.com/questions/758678