使用TLS连接MySQL
本帖最后由 adminlily 于 2020-12-11 15:37 编辑使用TLS连接MySQL将TLS与iTop一起使用如果将iTop托管在与MySQL服务器不同的服务器上,并且使用共享的基础结构,那么您可能希望在应用程序和数据库之间使用加密。一种方法是使用MySQL安全连接。参见官方文档:MySQL :: MySQL 5.6 Reference Manual :: 6.4 Using Encrypted Connections从2.5版开始,iTop允许使用这些参数:
启用加密:db_tls.enabled
证书颁发机构文件:db_tls.ca
如果“ db_tls.ca”参数不为空且有效,则将在每个连接上进行服务器证书验证。默认情况下,iTop将使用MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT标志连接到MySQL(请参见manual/en/mysqli.real-connect.php),但是,如果指定了CA,则它将与MYSQLI_CLIENT_SSL标志连接。
在iTop中使用这种连接之前,需要检查配置。在phpinfo(调用setup / phpinfo.php)中,您应该在“ mysqlnd”部分中具有以下内容:
核心SSL:支持
扩展SSL:支持
Combodo也几乎不建议使用以下脚本测试链接:
[ ttps://www.itophub.io/wiki/page?do=export_code&id=2_7_0%3Ainstall%3Aphp_and_mysql_tls&codeblock=0]mysql-tls-test.php
<?php<?php ('error_reporting', E_ALL); ('display_errors', '1'); (E_ALL|E_STRICT); (ASSERT_ACTIVE, true);(ASSERT_WARNING, true);(ASSERT_BAIL, true); $sMySqlHost = 'mysqlserver'; //TODO$iMySqlPort = 3306;$sMySqlUser = 'user'; //TODO$sMySqlPassword = 'password'; //TODO$iMySqlFlag = MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;$sTlsKey = '/var/mysql/client-key.pem'; //TODO fix right value, null if not used$sTlsCert = '/var/mysql/client-cert.pem'; //TODO fix right value, null if not used$sTlsCa = '/var/mysql/ca.pem'; //TODO fix right value, null if not used (($sTlsKey), 'Can\'t open SSL Key file');(($sTlsCert), 'Can\'t open SSL Cert file');(($sTlsCa), 'Can\'t open SSL CA file'); echo "Trying to connect using :\n host=$sMySqlHost, user=$sMySqlUser,
port=$iMySqlPort\n";echo "TLS options :\n key=$sTlsKey\n cert=$sTlsCert\n ca=$sTlsCa\n"; $oMysqli = new mysqli();$oMysqli->init();$oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, NULL, NULL);$oMysqli->real_connect($sMySqlHost, $sMySqlUser, $sMySqlPassword, null,
$iMySqlPort, NULL, $iMySqlFlag); if ($oMysqli->connect_errno){ ('Connect error (' . () . '): ' . () . "\n");} else { if (!IsOpenedDbConnectionUsingTls($oMysqli)) { $oMysqli->close(); ('The connection can be opened but is not TLS encrypted !'); } echo "Successfully connected using TLS !\n"; $sTlsCipherValue = GetMySqlVarValue($oMysqli, 'ssl_cipher'); $sTlsVersionValue = GetMySqlVarValue($oMysqli, 'ssl_version'); echo "TLS cipher=$sTlsCipherValue\n"; echo "TLS version=$sTlsVersionValue\n"; $oMysqli->close();} /** * <p>A DB connection can be opened transparently (no errors thrown) without being
encrypted, whereas the TLS * parameters were used.<br> * This method can be called to ensure that the DB connection really uses TLS. * * <p>We're using this object connection : {@link self::$m_oMysqli} * * @param \mysqli $oMysqli * * @return boolean true if the connection was really established using TLS * @throws \MySQLException * * @uses IsMySqlVarNonEmpty */function IsOpenedDbConnectionUsingTls($oMysqli){ $bNonEmptySslVersionVar = IsMySqlVarNonEmpty($oMysqli, 'ssl_version'); $bNonEmptySslCipherVar = IsMySqlVarNonEmpty($oMysqli, 'ssl_cipher'); return ($bNonEmptySslVersionVar && $bNonEmptySslCipherVar);} /** * @param \mysqli $oMysqli * @param string $sVarName * * @return bool * @throws \MySQLException * * @uses GetMySqlVarValue */function IsMySqlVarNonEmpty($oMysqli, $sVarName){ $sResult = GetMySqlVarValue($oMysqli, $sVarName); return (!($sResult));} /** * @param \mysqli $oMysqli * @param string $sVarName * * @return string * @throws \MySQLException * * @uses 'SHOW STATUS' queries */function GetMySqlVarValue($oMysqli, $sVarName){ $oResults = $oMysqli->query("SHOW SESSION STATUS LIKE '$sVarName'", 1); if ($oResults === false) { return false; } $aResults = $oResults->fetch_array(MYSQLI_NUM); $sResult = $aResults; return $sResult;}
成功后,您应该看到:
Trying to connect using : host=192.168.10.70, user=sha256user, port=3306TLS options : key=/var/www/html/client-key.pem cert=/var/www/html/client-cert.pem ca=/var/www/html/ca.pemSuccessfully connected using TLS !TLS cipher=DHE-RSA-AES256-SHA
故障排除
如果您收到有关以下内容的警告或错误:
--sslor--ssl-mode
如 :
https://www.itophub.io/wiki/media?media=2_7_0%3Ainstall%3Atls_mysql_warning.png
iTop> = 2.6.2应该使用MySQL> = 5.7.0处理这些警告,如果仍然遇到这些警告,或者在较低版本或其他MySQL供应商那里遇到这些警告,我们可以通过以下方式进行验证:
SELECT Version()和SELECT @@version
您收到的格式和MySQL供应商的格式类似于
10.3.15-MariaDB-log
iTop将处理这些信息,以根据您的MySQL供应商/版本选择正确的参数,因此需要填写。
页:
[1]