Using SSL for Secure Connections
609
•
--ssl-verify-server-cert
[609]
This option is available for client programs only, not the server. It causes the client to check the
server's Common Name value in the certificate that the server sends to the client. The client verifies
that name against the host name the client uses for connecting to the server, and the connection fails
if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is
disabled by default. This option was added in MySQL 5.0.23.
6.3.6.5. Setting Up SSL Certificates and Keys for MySQL
This section demonstrates how to set up SSL certificate and key files for use by MySQL servers and
clients. The first example shows a simplified procedure such as you might use from the command line.
The second shows a script that contains more detail. The first two examples are intended for use on
Unix and both use the
openssl
command that is part of OpenSSL. The third example describes how
to set up SSL files on Windows.
Example 1: Creating SSL Files from the Command Line on Unix
The following example shows a set of commands to create MySQL server and client certificate and key
files. You will need to respond to several prompts by the
openssl
commands. To generate test files,
you can press Enter to all prompts. To generate files for production use, you should provide nonempty
responses.
# Create clean environment
shell>
rm -rf newcerts
shell>
mkdir newcerts && cd newcerts
# Create CA certificate
shell>
openssl genrsa 2048 > ca-key.pem
shell>
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca-cert.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
shell>
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
shell>
openssl rsa -in server-key.pem -out server-key.pem
shell>
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
shell>
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
shell>
openssl rsa -in client-key.pem -out client-key.pem
shell>
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:
shell>
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
Now you have a set of files that can be used as follows:
•
ca-cert.pem
: Use this as the argument to
--ssl-ca
[608]
on the server and client sides. (The
CA certificate, if used, must be the same on both sides.)
•
server-cert.pem
,
server-key.pem
: Use these as the arguments to
--ssl-cert
[608]
and
--ssl-key
[608]
on the server side.
•
client-cert.pem
,
client-key.pem
: Use these as the arguments to
--ssl-cert
[608]
and
--ssl-key
[608]
on the client side.
Содержание 5.0
Страница 1: ...MySQL 5 0 Reference Manual ...
Страница 18: ...xviii ...
Страница 60: ...40 ...
Страница 396: ...376 ...
Страница 578: ...558 ...
Страница 636: ...616 ...
Страница 844: ...824 ...
Страница 1234: ...1214 ...
Страница 1426: ...MySQL Proxy Scripting 1406 The following diagram shows an overview of the classes exposed by MySQL Proxy ...
Страница 1427: ...MySQL Proxy Scripting 1407 ...
Страница 1734: ...1714 ...
Страница 1752: ...1732 ...
Страница 1783: ...Configuring Connector ODBC 1763 ...
Страница 1793: ...Connector ODBC Examples 1773 ...
Страница 1839: ...Connector Net Installation 1819 2 You must choose the type of installation to perform ...
Страница 1842: ...Connector Net Installation 1822 5 Once the installation has been completed click Finish to exit the installer ...
Страница 1864: ...Connector Net Visual Studio Integration 1844 Figure 20 24 Debug Stepping Figure 20 25 Function Stepping 1 of 2 ...
Страница 2850: ...2830 ...
Страница 2854: ...2834 ...
Страница 2928: ...2908 ...
Страница 3000: ...2980 ...
Страница 3122: ...3102 ...
Страница 3126: ...3106 ...
Страница 3174: ...3154 ...
Страница 3232: ...3212 ...