Ubuntu 14.04上的MySQL 5.5和SSL_Mysql_Ssl_Ssl Certificate_Ubuntu 14.04

Ubuntu 14.04上的MySQL 5.5和SSL

mysql ssl

Ubuntu 14.04上的MySQL 5.5和SSL,mysql,ssl,ssl-certificate,ubuntu-14.04,Mysql,Ssl,Ssl Certificate,Ubuntu 14.04,我正在尝试在内核为3.13.0-32-generic的Ubuntu14.04Linux（64位）上设置一个支持SSL的mysql服务器5.5.38-0ubuntu0.14.04.1 我允许远程访问mysql，并更改了/etc/mysql/my.cnf以支持ssl ssl=1 ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem 我生成了证书 open

我正在尝试在内核为3.13.0-32-generic的Ubuntu14.04Linux（64位）上设置一个支持SSL的mysql服务器5.5.38-0ubuntu0.14.04.1

我允许远程访问mysql，并更改了/etc/mysql/my.cnf以支持ssl

ssl=1
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

我生成了证书

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

openssl req -newkey rsa:2048 -days 3560 -nodes -keyout server-key.pem > server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

对于用于服务器和客户端证书/密钥的公共名称值，我有不同的名称。在某些情况下，同名似乎是个问题

我正确设置了/etc/mysql/中所有*.pem文件（mysql:adm）的权限。重新启动mysql后，我可以以root用户身份登录，并看到现在支持ssl：

mysql> show variables like '%ssl%';
+---------------+-----------------------------------+
| Variable_name | Value                             |
+---------------+-----------------------------------+
| have_openssl  | YES                               |
| have_ssl      | YES                               |
| ssl_ca        | /etc/mysql/ca-cert.pem     |
| ssl_capath    |                                   |
| ssl_cert      | /etc/mysql/server-cert.pem |
| ssl_cipher    |                                   |
| ssl_key       | /etc/mysql/server-key.pem  |
+---------------+-----------------------------------+
7 rows in set (0.00 sec)

所以。。我生成了一个测试用户来测试ssl连接：

mysql> GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'localhost' IDENTIFIED BY 'password' REQUIRE X509;
mysql> flush privileges;

然而，当我尝试连接时

# mysql -u ssluser -p --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

但是，我的证书似乎是有效的：

# openssl verify -CAfile ca-cert.pem server-cert.pem client cert.pem
server-cert.pem: OK
client-cert.pem: OK

我已经试着解决这个问题好几个小时了，现在我没有任何新的想法。。

非常感谢您的帮助

已解决：使用SHA1生成关键帧后生效

#使用SHA1摘要生成CA密钥和证书
openssl genrsa 2048>ca-key.pem
openssl请求-sha1-新-x509-节点-3650天-密钥ca-key.pem>ca-cert.pem
#使用SHA1摘要创建服务器密钥和证书，签名并转换
#从PKCS#8（OpenSSL 1.0及更新版本）到旧PKCS#1格式的RSA密钥
openssl请求-sha1-新密钥rsa:2048-第730天-节点-密钥输出服务器-key.pem>server-req.pem
openssl x509-sha1-req-in server-req.pem-days 730-CA-cert.pem-CA-key-CA-key.pem-set_serial 01>server-cert.pem
openssl rsa-in-server-key.pem-out-server-key.pem
#使用SHA摘要创建客户端密钥和证书，签名并转换
#从PKCS#8（OpenSSL 1.0及更新版本）到旧PKCS#1格式的RSA密钥
openssl请求-sha1-新密钥rsa:2048-第730天-节点-keyout client-key.pem>client-req.pem
openssl x509-sha1-req-in client-req.pem-days 730-CA-cert.pem-CA-key CA-key.pem-set_serial 01>client-cert.pem
openssl rsa-in-client-key.pem-out-client-key.pem

已解决：使用SHA1生成密钥后生效

#使用SHA1摘要生成CA密钥和证书
openssl genrsa 2048>ca-key.pem
openssl请求-sha1-新-x509-节点-3650天-密钥ca-key.pem>ca-cert.pem
#使用SHA1摘要创建服务器密钥和证书，签名并转换
#从PKCS#8（OpenSSL 1.0及更新版本）到旧PKCS#1格式的RSA密钥
openssl请求-sha1-新密钥rsa:2048-第730天-节点-密钥输出服务器-key.pem>server-req.pem
openssl x509-sha1-req-in server-req.pem-days 730-CA-cert.pem-CA-key-CA-key.pem-set_serial 01>server-cert.pem
openssl rsa-in-server-key.pem-out-server-key.pem
#使用SHA摘要创建客户端密钥和证书，签名并转换
#从PKCS#8（OpenSSL 1.0及更新版本）到旧PKCS#1格式的RSA密钥
openssl请求-sha1-新密钥rsa:2048-第730天-节点-keyout client-key.pem>client-req.pem
openssl x509-sha1-req-in client-req.pem-days 730-CA-cert.pem-CA-key CA-key.pem-set_serial 01>client-cert.pem
openssl rsa-in-client-key.pem-out-client-key.pem