禁用MariaDB上的ssl,可以';t在Debian和YaSSL上启用SSL
我正在尝试在Raspberry 3上设置MariaDB和TLS,并在安装了LAMP的情况下运行。玛丽亚DB 10.1.23 我遵循官方文件,也尝试了 但是,当我查看变量时,have_ssl保持禁用状态禁用MariaDB上的ssl,可以';t在Debian和YaSSL上启用SSL,ssl,ssl-certificate,mariadb,raspbian,Ssl,Ssl Certificate,Mariadb,Raspbian,我正在尝试在Raspberry 3上设置MariaDB和TLS,并在安装了LAMP的情况下运行。玛丽亚DB 10.1.23 我遵循官方文件,也尝试了 但是,当我查看变量时,have_ssl保持禁用状态 MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%'; +---------------------+--------------------------------+ | Variable_name | Value
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+--------------------------------+
| Variable_name | Value |
+---------------------+--------------------------------+
| have_openssl | NO |
| have_ssl | DISABLED |
| ssl_ca | /etc/mysql/ssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/ssl/server-key.pem |
| version_ssl_library | YaSSL 2.4.2 |
+---------------------+--------------------------------+
10 rows in set (0.01 sec)
这是我的/etc/mysql/mariadb.conf.d/50-server.cnf
#
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
ssl=on
尝试openssl s_客户端时,我得到以下结果:
openssl s_client -state -nbio -debug -connect 127.0.0.1:3306 | grep "ssl"
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
1995634080:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
openssl s_client -connect 127.0.0.1:3306
CONNECTED(00000003)
1995855264:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1542233581
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
我还尝试从另一个Raspi连接,结果如下:
root@DietPi:/etc/mysql/ssl# openssl s_client -state -nbio -debug -connect 192.168.1.89:3306 | grep "^ssl"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:error in SSLv2/v3 read server hello A
548036626192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
到目前为止,我的研究不是很成功。没有有效的解决方案,也不适合我的环境。我还试图安装,但安装cpan App::cpanminus
失败,原因是
Writing MYMETA.yml and MYMETA.json
MIYAGAWA/App-cpanminus-1.7044.tar.gz
/usr/bin/perl Makefile.PL INSTALLDIRS=site -- OK
Running make for M/MI/MIYAGAWA/App-cpanminus-1.7044.tar.gz
MIYAGAWA/App-cpanminus-1.7044.tar.gz
make -- NOT OK
明天我将尝试安装analyze-ssl.pl或打开另一个线程。只是想解释一下我是怎么做的
如果有人能帮我解开谜语,我会很高兴的
谢谢!
Markus您可以尝试将openssl默认生成的PKCS#8密钥转换为mariadb的PKCS#1密钥
openssl rsa -in pcks#8.key -out pkcs#1.key
这次手术后,我说
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+-----------------------------------------------+
| Variable_name | Value |
+---------------------+-----------------------------------------------+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ssl/mariaDB-CA.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/ssl/server.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/ssl/server.key |
| version_ssl_library | YaSSL 2.4.4 |
+---------------------+-----------------------------------------------+
大卫也有同样的问题。@David的解决方案对我不起作用,但这有助于: 结果表明,mysql用户需要拥有证书文件