{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ゆ 、 Hurt° 的问题《MYSQL remote connection require SSL》','https://www.manongdao.com/q-606685.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.
This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem
My question is: Why do I have to provide the ca.pem file as the client?
These are the steps I took to install mysql on the server and setup remote access (Ubuntu):
Steps to Enable SSL for MYSQL
1) Obtain my Certificate Authority cert, Database cert, Database key
- ca.pem (Certificate Authority cert)
- dbcert.pem (Database cert)
- dbkey.pem (Databse key)
2) Add the following lines to /etc/mysql/my.cnf under [mysqld]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem
3) Restart mysql and confirm ssl enabled by logging in and typing following:
show variables like '%ssl%';
Configure Remote Connection Requiring SSL
1) Comment out the following lines in /etc/mysql/my.cnf
#bind-address
#skip-networking
2) Login to mysql and grant a user access to, in this case, every database
GRANT ALL PRIVILEGES ON . to 'USERNAME'@'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL
At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.
Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?
I would really appreciate some insight here.
Thanks in advance.
Unlike your typical web browser, a commandline tool like
mysqldoesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).When you use
mysqlto log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.
http://razorsql.com/articles/mysql_ssl_jdbc.html
How can I configure Hibernate to use SSL to talk to the DB server?