Several configuration parameters are available to indicate whether to use encrypted connections, and to specify the appropriate certificate and key files. This section provides general guidance about configuring the server and clients for encrypted connections:有几个配置参数可用于指示是否使用加密连接,并指定适当的证书和密钥文件。本节提供有关为加密连接配置服务器和客户端的一般指导:
Encrypted connections also can be used in other contexts, as discussed in these additional sections:加密连接也可以在其他情况下使用,如这些附加部分所述:
Between source and replica replication servers. See Section 17.3.1, “Setting Up Replication to Use Encrypted Connections”.在源复一致性务器和副本复一致性务器之间。请参阅第17.3.1节,“设置复制以使用加密连接”。
Among Group Replication servers. See Section 18.6.2, “Securing Group Communication Connections with Secure Socket Layer (SSL)”.在组复一致性务器之间。请参阅第18.6.2节,“使用安全套接字层(SSL)保护组通信连接”。
By client programs that are based on the MySQL C API. See Support for Encrypted Connections.通过基于MySQL C API的客户端程序。请参阅加密连接支持。
Instructions for creating any required certificate and key files are available in Section 6.3.3, “Creating SSL and RSA Certificates and Keys”.创建任何所需证书和密钥文件的说明见第6.3.3节,“创建SSL和RSA证书和密钥”。
On the server side, the 在服务器端,--ssl option specifies that the server permits but does not require encrypted connections. This option is enabled by default, so it need not be specified explicitly.--ssl选项指定服务器允许但不需要加密连接。默认情况下启用此选项,因此不需要显式指定。
To require that clients connect using encrypted connections, enable the 要要求客户端使用加密连接进行连接,请启用require_secure_transport system variable. require_secure_transport系统变量。See Configuring Encrypted Connections as Mandatory.请参阅强制配置加密连接。
These system variables on the server side specify the certificate and key files the server uses when permitting clients to establish encrypted connections:服务器端的这些系统变量指定了服务器在允许客户端建立加密连接时使用的证书和密钥文件:
ssl_ca: The path name of the Certificate Authority (CA) certificate file. (:证书颁发机构(CA)证书文件的路径名。(ssl_capath is similar but specifies the path name of a directory of CA certificate files.)ssl_capath类似,但指定了CA证书文件目录的路径名。)
ssl_cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.:服务器公钥证书文件的路径名。此证书可以发送到客户端,并根据其拥有的CA证书进行身份验证。
ssl_key: The path name of the server private key file.:服务器私钥文件的路径名。
For example, to enable the server for encrypted connections, start it with these lines in the 例如,要使服务器能够进行加密连接,请在my.cnf file, changing the file names as necessary:my.cnf文件中用以下行启动它,必要时更改文件名:
[mysqld] ssl_ca=ca.pem ssl_cert=server-cert.pem ssl_key=server-key.pem
To specify in addition that clients are required to use encrypted connections, enable the 要另外指定客户端需要使用加密连接,请启用require_secure_transport system variable:require_secure_transport系统变量:
[mysqld] ssl_ca=ca.pem ssl_cert=server-cert.pem ssl_key=server-key.pem require_secure_transport=ON
Each certificate and key system variable names a file in PEM format. Should you need to create the required certificate and key files, see Section 6.3.3, “Creating SSL and RSA Certificates and Keys”. 每个证书和密钥系统变量都以PEM格式命名一个文件。如果您需要创建所需的证书和密钥文件,请参阅第6.3.3节,“创建SSL和RSA证书和密钥”。MySQL servers compiled using OpenSSL can generate missing certificate and key files automatically at startup. See Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”. 使用OpenSSL编译的MySQL服务器可以在启动时自动生成丢失的证书和密钥文件。请参阅第6.3.3.1节,“使用MySQL创建SSL和RSA证书和密钥”。Alternatively, if you have a MySQL source distribution, you can test your setup using the demonstration certificate and key files in its 或者,如果你有MySQL源代码发行版,你可以使用mysql-test/std_data directory.mysql-test/std_data目录中的演示证书和密钥文件来测试你的设置。
The server performs certificate and key file autodiscovery. 服务器执行证书和密钥文件自动发现。If no explicit encrypted-connection options are given other than 如果除了--ssl (possibly along with ssl_cipher) to configure encrypted connections, the server attempts to enable encrypted-connection support automatically at startup:--ssl(可能与ssl_cipher一起)之外没有给出明确的加密连接选项来配置加密连接,则服务器会在启动时尝试自动启用加密连接支持:
If the server discovers valid certificate and key files named 如果服务器在数据目录中发现名为ca.pem, server-cert.pem, and server-key.pem in the data directory, it enables support for encrypted connections by clients. ca.pem、server-cert.pem和server-key.pem的有效证书和密钥文件,它将支持客户端的加密连接。(The files need not have been generated automatically; what matters is that they have those names and are valid.)(这些文件不一定是自动生成的;重要的是它们有这些名称并且是有效的。)
If the server does not find valid certificate and key files in the data directory, it continues executing but without support for encrypted connections.如果服务器在数据目录中找不到有效的证书和密钥文件,它将继续执行,但不支持加密连接。
If the server automatically enables encrypted connection support, it writes a note to the error log. If the server discovers that the CA certificate is self-signed, it writes a warning to the error log. 如果服务器自动启用加密连接支持,它会在错误日志中写入注释。如果服务器发现CA证书是自签名的,它会在错误日志中写入警告。(The certificate is self-signed if created automatically by the server or manually using mysql_ssl_rsa_setup.)(如果证书由服务器自动创建或使用mysql_ssl_rsa_setup手动创建,则证书是自签名的。)
MySQL also provides these system variables for server-side encrypted-connection control:MySQL还为服务器端加密连接控制提供了以下系统变量:
ssl_cipher: The list of permissible ciphers for connection encryption.:用于连接加密的允许密码列表。
ssl_crl: The path name of the file containing certificate revocation lists. :包含证书吊销列表的文件的路径名。((ssl_crlpath is similar but specifies the path name of a directory of certificate revocation-list files.)ssl_crlpath类似,但指定了证书吊销列表文件目录的路径名。)
tls_version, tls_ciphersuites: Which encryption protocols and ciphersuites the server permits for encrypted connections; see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”. :服务器允许哪些加密协议和密码用于加密连接;请参阅第6.3.2节,“加密连接TLS协议和密码”。For example, you can configure 例如,您可以配置tls_version to prevent clients from using less-secure protocols.tls_version以防止客户端使用不太安全的协议。
If the server cannot create a valid TLS context from the system variables for server-side encrypted-connection control, the server executes without support for encrypted connections.如果服务器无法从服务器端加密连接控制的系统变量创建有效的TLS上下文,则服务器将在不支持加密连接的情况下执行。
Prior to MySQL 8.0.16, the 在MySQL 8.0.16之前,配置加密连接支持的tls_ and xxxssl_ system variables that configure encrypted-connection support can be set only at server startup. xxxtls_xxx和ssl_xxx系统变量只能在服务器启动时设置。These system variables therefore determine the TLS context the server uses for all new connections.因此,这些系统变量决定了服务器用于所有新连接的TLS上下文。
As of MySQL 8.0.16, the 从MySQL 8.0.16开始,tls_ and xxxssl_ system variables are dynamic and can be set at runtime, not just at startup. xxxtls_xxx和ssl_xxx系统变量是动态的,可以在运行时设置,而不仅仅是在启动时。If changed with 如果使用SET GLOBAL, the new values apply only until server restart. SET GLOBAL更改,则新值仅在服务器重新启动之前适用。If changed with 如果使用SET PERSIST, the new values also carry over to subsequent server restarts. SET PERSIST进行更改,新值也会延续到后续的服务器重启。See Section 13.7.6.1, “SET Syntax for Variable Assignment”. 请参阅第13.7.6.1节,“变量赋值的SET语法”。However, runtime changes to these variables do not immediately affect the TLS context for new connections, as explained later in this section.但是,如本节稍后所述,对这些变量的运行时更改不会立即影响新连接的TLS上下文。
Along with the change in MySQL 8.0.16 that enables runtime changes to the TLS context-related system variables, the server enables runtime updates to the actual TLS context used for new connections. MySQL 8.0.16中的更改允许对与TLS上下文相关的系统变量进行运行时更改,服务器还允许对用于新连接的实际TLS上下文进行运行时更新。This capability may be useful, for example, to avoid restarting a MySQL server that has been running so long that its SSL certificate has expired.例如,此功能可能有助于避免重新启动运行时间过长以至于SSL证书已过期的MySQL服务器。
To create the initial TLS context, the server uses the values that the context-related system variables have at startup. To expose the context values, the server also initializes a set of corresponding status variables. 为了创建初始TLS上下文,服务器使用上下文相关系统变量在启动时的值。为了公开上下文值,服务器还初始化了一组相应的状态变量。The following table shows the system variables that define the TLS context and the corresponding status variables that expose the currently active context values.下表显示了定义TLS上下文的系统变量和暴露当前活动上下文值的相应状态变量。
Table 6.11 System and Status Variables for Server Main Connection Interface TLS Context服务器主连接接口TLS上下文的系统和状态变量
ssl_ca | Current_tls_ca |
ssl_capath | Current_tls_capath |
ssl_cert | Current_tls_cert |
ssl_cipher | Current_tls_cipher |
ssl_crl | Current_tls_crl |
ssl_crlpath | Current_tls_crlpath |
ssl_key | Current_tls_key |
tls_ciphersuites | Current_tls_ciphersuites |
tls_version | Current_tls_version |
As of MySQL 8.0.21, those active TLS context values are also exposed as properties in the Performance Schema 从MySQL 8.0.21开始,这些活动TLS上下文值也作为属性公开在性能模式tls_channel_status table, along with the properties for any other active TLS contexts.tls_channel_status表中,以及任何其他活动TLS上下文的属性。
To reconfigure the TLS context at runtime, use this procedure:要在运行时重新配置TLS上下文,请使用以下过程:
Set each TLS context-related system variable that should be changed to its new value.将每个应更改为新值的TLS上下文相关系统变量设置为新值。
Execute 执行ALTER INSTANCE RELOAD TLS. ALTER INSTANCE RELOAD TLS。This statement reconfigures the active TLS context from the current values of the TLS context-related system variables. 此语句根据TLS上下文相关系统变量的当前值重新配置活动TLS上下文。It also sets the context-related status variables to reflect the new active context values. 它还设置与上下文相关的状态变量,以反映新的活动上下文值。The statement requires the 该语句需要CONNECTION_ADMIN privilege.CONNECTION_ADMIN权限。
New connections established after execution of 执行ALTER INSTANCE RELOAD TLS use the new TLS context. ALTER INSTANCE RELOAD TLS后建立的新连接使用新的TLS上下文。Existing connections remain unaffected. If existing connections should be terminated, use the 现有连接不受影响。如果要终止现有连接,请使用KILL statement.KILL语句。
The members of each pair of system and status variables may have different values temporarily due to the way the reconfiguration procedure works:由于重新配置过程的工作方式,每对系统和状态变量的成员可能暂时具有不同的值:
Changes to the system variables prior to 在ALTER INSTANCE RELOAD TLS do not change the TLS context. ALTER INSTANCE RELOAD TLS之前对系统变量的更改不会改变TLS上下文。At this point, those changes have no effect on new connections, and corresponding context-related system and status variables may have different values. 此时,这些更改对新连接没有影响,相应的上下文相关系统和状态变量可能具有不同的值。This enables you to make any changes required to individual system variables, then update the active TLS context atomically with 这使您能够对单个系统变量进行任何必要的更改,然后在所有系统变量更改后,使用ALTER INSTANCE RELOAD TLS after all system variable changes have been made.ALTER INSTANCE RELOAD TLS原子更新活动TLS上下文。
After 在ALTER INSTANCE RELOAD TLS, corresponding system and status variables have the same values. This remains true until the next change to the system variables.ALTER INSTANCE RELOAD TLS之后,相应的系统和状态变量具有相同的值。在系统变量的下一次更改之前,这将保持不变。
In some cases, 在某些情况下,ALTER INSTANCE RELOAD TLS by itself may suffice to reconfigure the TLS context, without changing any system variables. ALTER INSTANCE RELOAD TLS本身可能足以重新配置TLS上下文,而无需更改任何系统变量。Suppose that the certificate in the file named by 假设ssl_cert has expired. ssl_cert文件中的证书已过期。It is sufficient to replace the existing file contents with a nonexpired certificate and execute 用非盗版证书替换现有文件内容并执行ALTER INSTANCE RELOAD TLS to cause the new file contents to be read and used for new connections.ALTER INSTANCE RELOAD TLS以读取新文件内容并用于新连接就足够了。
As of MySQL 8.0.21, the server implements independent connection-encryption configuration for the administrative connection interface. 从MySQL 8.0.21开始,服务器为管理连接接口实现了独立的连接加密配置。See Administrative Interface Support for Encrypted Connections. 请参阅加密连接的管理界面支持。In addition, 此外,ALTER INSTANCE RELOAD TLS is extended with a FOR CHANNEL clause that enables specifying the channel (interface) for which to reload the TLS context. ALTER INSTANCE RELOAD TLS还扩展了FOR CHANNEL子句,该子句允许指定重新加载TLS上下文的通道(接口)。See Section 13.1.5, “ALTER INSTANCE Statement”. 请参阅第13.1.5节,“ALTER INSTANCE语句”。There are no status variables to expose the administrative interface TLS context, but the Performance Schema 没有状态变量来公开管理接口TLS上下文,但性能模式tls_channel_status table exposes TLS properties for both the main and administrative interfaces. tls_channel_status表公开了主接口和管理接口的TLS属性。See Section 27.12.21.7, “The tls_channel_status Table”.请参阅第27.12.21.7节,“tls_channel_status表”。
Updating the main interface TLS context has these effects:更新主接口TLS上下文具有以下效果:
The update changes the TLS context used for new connections on the main connection interface.此更新更改了用于主连接接口上新连接的TLS上下文。
The update also changes the TLS context used for new connections on the administrative interface unless some nondefault TLS parameter value is configured for that interface.该更新还会更改用于管理接口上新连接的TLS上下文,除非为该接口配置了一些非默认TLS参数值。
The update does not affect the TLS context used by other enabled server plugins or components such as Group Replication or X Plugin:此更新不会影响其他启用的服务器插件或组件(如组复制或X插件)使用的TLS上下文:
To apply the main interface reconfiguration to Group Replication's group communication connections, which take their settings from the server's TLS context-related system variables, you must execute 要将主界面重新配置应用于组复制的组通信连接,这些连接的设置来自服务器的TLS上下文相关系统变量,您必须执行STOP GROUP_REPLICATION followed by START GROUP_REPLICATION to stop and restart Group Replication.STOP GROUP_REPLICATION,然后执行START GROUP_REPLICATION以停止并重新启动组复制。
X Plugin initializes its TLS context at plugin initialization as described at Section 20.5.3, “Using Encrypted Connections with X Plugin”. This context does not change thereafter.X插件在插件初始化时初始化其TLS上下文,如第20.5.3节,“使用X插件的加密连接”所述。此后,这种情况不会改变。
By default, the 默认情况下,RELOAD TLS action rolls back with an error and has no effect if the configuration values do not permit creation of the new TLS context. RELOAD TLS操作会回滚并显示错误,如果配置值不允许创建新的TLS上下文,则该操作无效。The previous context values continue to be used for new connections. 以前的上下文值继续用于新连接。If the optional 如果给出了可选的NO ROLLBACK ON ERROR clause is given and the new context cannot be created, rollback does not occur. Instead, a warning is generated and encryption is disabled for new connections on the interface to which the statement applies.NO ROLLBACK ON ERROR子句,并且无法创建新上下文,则不会发生回滚。相反,会生成一个警告,并对应用该语句的接口上的新连接禁用加密。
Options that enable or disable encrypted connections on a connection interface have an effect only at startup. 在连接接口上启用或禁用加密连接的选项仅在启动时有效。For example, the 例如,--ssl and --admin-ssl options affect only at startup whether the main and administrative interfaces support encrypted connections. --ssl和--admin-ssl选项仅在启动时影响主接口和管理接口是否支持加密连接。Such options are ignored and have no effect on the operation of 这些选项将被忽略,并且在运行时对ALTER INSTANCE RELOAD TLS at runtime. ALTER INSTANCE RELOAD TLS的操作没有影响。For example, you can use 例如,您可以使用--ssl=OFF to start the server with encrypted connections disabled on the main interface, then reconfigure TLS and execute ALTER INSTANCE RELOAD TLS to enable encrypted connections at runtime.--ssl=OFF在主界面上禁用加密连接的情况下启动服务器,然后重新配置TLS并执行ALTER INSTANCE RELOAD TLS以在运行时启用加密连接。
For a complete list of client options related to establishment of encrypted connections, see Command Options for Encrypted Connections.有关与建立加密连接相关的客户端选项的完整列表,请参阅加密连接的命令选项。
By default, MySQL client programs attempt to establish an encrypted connection if the server supports encrypted connections, with further control available through the 默认情况下,如果服务器支持加密连接,MySQL客户端程序会尝试建立加密连接,并通过--ssl-mode option:--ssl-mode选项进行进一步控制:
In the absence of an 在没有--ssl-mode option, clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established. --ssl-mode选项的情况下,客户端会尝试使用加密进行连接,如果无法建立加密连接,则会退回到未加密的连接。This is also the behavior with an explicit 这也是使用显式--ssl-mode=PREFFERED option.--ssl-mode=PREFFERED选项的行为。
With 使用--ssl-mode=REQUIRED, clients require an encrypted connection and fail if one cannot be established.--ssl-mode=REQUIRED,客户端需要加密连接,如果无法建立连接,则会失败。
With 使用--ssl-mode=DISABLED, clients use an unencrypted connection.--ssl-mode=DISABLED,客户端使用未加密的连接。
With 使用--ssl-mode=VERIFY_CA or --ssl-mode=VERIFY_IDENTITY, clients require an encrypted connection, and also perform verification against the server CA certificate and (with VERIFY_IDENTITY) against the server host name in its certificate.--ssl-mode=VERIFY_CA或--ssl-mode=VERIFY_IDENTITY,客户端需要加密连接,还需要对服务器CA证书进行验证,并(使用VERIFY_IENTITY)对其证书中的服务器主机名进行验证。
Attempts to establish an unencrypted connection fail if the 如果服务器端启用了require_secure_transport system variable is enabled on the server side to cause the server to require encrypted connections. require_secure_transport系统变量,导致服务器需要加密连接,则尝试建立未加密连接失败。See Configuring Encrypted Connections as Mandatory.请参阅强制配置加密连接。
The following options on the client side identify the certificate and key files clients use when establishing encrypted connections to the server. 客户端的以下选项标识了客户端在与服务器建立加密连接时使用的证书和密钥文件。They are similar to the 它们类似于服务器端使用的ssl_ca, ssl_cert, and ssl_key system variables used on the server side, but --ssl-cert and --ssl-key identify the client public and private key:ssl_ca、ssl_cert和ssl_key系统变量,但--ssl-cert和--ssl-key标识客户端公钥和私钥:
--ssl-ca: The path name of the Certificate Authority (CA) certificate file. :证书颁发机构(CA)证书文件的路径名。This option, if used, must specify the same certificate used by the server. 如果使用此选项,则必须指定服务器使用的相同证书。((--ssl-capath is similar but specifies the path name of a directory of CA certificate files.)--ssl-capath类似,但指定了CA证书文件目录的路径名。)
--ssl-cert: The path name of the client public key certificate file.:客户端公钥证书文件的路径名。
--ssl-key: The path name of the client private key file.:客户端私钥文件的路径名。
For additional security relative to that provided by the default encryption, clients can supply a CA certificate matching the one used by the server and enable host name identity verification. 为了获得相对于默认加密提供的额外安全性,客户端可以提供与服务器使用的CA证书匹配的CA证书,并启用主机名身份验证。In this way, the server and client place their trust in the same CA certificate and the client verifies that the host to which it connected is the one intended:通过这种方式,服务器和客户端将信任放在同一个CA证书上,客户端验证其连接的主机是否是预期的主机:
To specify the CA certificate, use 要指定CA证书,请使用--ssl-ca (or --ssl-capath), and specify --ssl-mode=VERIFY_CA.--ssl-ca(或--ssl-capath),并指定--ssl-mode=VERIFY_CA。
To enable host name identity verification as well, use 要同时启用主机名身份验证,请使用--ssl-mode=VERIFY_IDENTITY rather than --ssl-mode=VERIFY_CA.--ssl-mode=VERIFY_IDENTITY,而不是--ssl-mode=VERIFY_CA。
Host name identity verification with 使用VERIFY_IDENTITY does not work with self-signed certificates that are created automatically by the server or manually using mysql_ssl_rsa_setup (see Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). VERIFY_IDENTITY进行主机名身份验证不适用于服务器自动创建或使用mysql_ssl_rsa_setup手动创建的自签名证书(请参阅第6.3.3.1节,“使用MySql创建SSL和RSA证书和密钥”)。Such self-signed certificates do not contain the server name as the Common Name value.此类自签名证书不包含服务器名称作为通用名称值。
Prior to MySQL 8.0.12, host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name.在MySQL 8.0.12之前,主机名身份验证也不适用于使用通配符指定通用名的证书,因为该名称会与服务器名称进行逐字比较。
MySQL also provides these options for client-side encrypted-connection control:MySQL还为客户端加密连接控制提供了以下选项:
--ssl-cipher: The list of permissible ciphers for connection encryption.:用于连接加密的允许密码列表。
--ssl-crl: The path name of the file containing certificate revocation lists. (:包含证书吊销列表的文件的路径名。(--ssl-crlpath is similar but specifies the path name of a directory of certificate revocation-list files.)--ssl-crlpath类似,但指定了证书吊销列表文件目录的路径名。)
--tls-version, --tls-ciphersuites: The permitted encryption protocols and ciphersuites; see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.允许的加密协议和密码套件;请参阅第6.3.2节,“加密连接TLS协议和密码”。
Depending on the encryption requirements of the MySQL account used by a client, the client may be required to specify certain options to connect using encryption to the MySQL server.根据客户端使用的MySQL帐户的加密要求,客户端可能需要指定某些选项,以便使用加密连接到MySQL服务器。
Suppose that you want to connect using an account that has no special encryption requirements or that was created using a 假设您想使用没有特殊加密要求的帐户或使用包含CREATE USER statement that included the REQUIRE SSL clause. REQUIRE SSL子句的CREATE USER语句创建的帐户进行连接。Assuming that the server supports encrypted connections, a client can connect using encryption with no 假设服务器支持加密连接,客户端可以使用不带--ssl-mode option or with an explicit --ssl-mode=PREFFERED option:--ssl-mode选项的加密或显式的--ssl-mode=PREFFERED选项进行连接:
mysql
Or:或者:
mysql --ssl-mode=PREFERRED
For an account created with a 对于使用REQUIRE SSL clause, the connection attempt fails if an encrypted connection cannot be established. REQUIRE SSL子句创建的帐户,如果无法建立加密连接,则连接尝试将失败。For an account with no special encryption requirements, the attempt falls back to an unencrypted connection if an encrypted connection cannot be established. To prevent fallback and fail if an encrypted connection cannot be obtained, connect like this:对于没有特殊加密要求的帐户,如果无法建立加密连接,则尝试退回到未加密的连接。如果无法获得加密连接,为防止回退和失败,请按如下方式连接:
mysql --ssl-mode=REQUIRED
If the account has more stringent security requirements, other options must be specified to establish an encrypted connection:如果帐户有更严格的安全要求,则必须指定其他选项来建立加密连接:
For accounts created with a 对于使用REQUIRE X509子句创建的帐户,客户端必须至少指定REQUIRE X509 clause, clients must specify at least --ssl-cert and --ssl-key. --ssl-cert和--ssl-key。In addition, 此外,建议使用--ssl-ca (or --ssl-capath) is recommended so that the public certificate provided by the server can be verified. --ssl-ca(或--ssl-capath),以便验证服务器提供的公共证书。For example (enter the command on a single line):例如(在一行中输入命令):
mysql --ssl-ca=ca.pem
--ssl-cert=client-cert.pem
--ssl-key=client-key.pemFor accounts created with a 对于使用REQUIRE ISSUER or REQUIRE SUBJECT clause, the encryption requirements are the same as for REQUIRE X509, but the certificate must match the issue or subject, respectively, specified in the account definition.REQUIRE ISSUER或REQUIRE SUBJECT子句创建的帐户,加密要求与REQUIRE X509相同,但证书必须分别与帐户定义中指定的问题或主题匹配。
For additional information about the 有关REQUIRE clause, see Section 13.7.1.3, “CREATE USER Statement”.REQUIRE子句的更多信息,请参阅第13.7.1.3节,“CREATE USER语句”。
To prevent use of encryption and override other 要防止使用加密并覆盖其他--ssl- options, invoke the client program with xxx--ssl-mode=DISABLED:--ssl-xxx选项,请使用--ssl-mode=DISABLED调用客户端程序:
mysql --ssl-mode=DISABLED
To determine whether the current connection with the server uses encryption, check the session value of the 要确定与服务器的当前连接是否使用加密,请检查Ssl_cipher status variable. Ssl_cipher状态变量的会话值。If the value is empty, the connection is not encrypted. Otherwise, the connection is encrypted and the value indicates the encryption cipher. For example:如果该值为空,则连接未加密。否则,连接将被加密,该值表示加密密码。例如:
mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher';
+---------------+---------------------------+
| Variable_name | Value |
+---------------+---------------------------+
| Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 |
+---------------+---------------------------+
For the mysql client, an alternative is to use the 对于mysql客户端,另一种方法是使用STATUS or \s command and check the SSL line:STATUS或\s命令并检查SSL行:
mysql> \s
...
SSL: Not in use
...
Or:或者:
mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES128-GCM-SHA256
...For some MySQL deployments it may be not only desirable but mandatory to use encrypted connections (for example, to satisfy regulatory requirements). This section discusses configuration settings that enable you to do this. These levels of control are available:对于某些MySQL部署,使用加密连接不仅是可取的,而且是强制性的(例如,为了满足监管要求)。本节讨论使您能够执行此操作的配置设置。这些控制级别可用:
You can configure the server to require that clients connect using encrypted connections.您可以配置服务器,要求客户端使用加密连接进行连接。
You can invoke individual client programs to require an encrypted connection, even if the server permits but does not require encryption.即使服务器允许但不要求加密,您也可以调用单个客户端程序来要求加密连接。
You can configure individual MySQL accounts to be usable only over encrypted connections.您可以将单个MySQL帐户配置为仅在加密连接上可用。
To require that clients connect using encrypted connections, enable the 要要求客户端使用加密连接进行连接,请启用require_secure_transport system variable. For example, put these lines in the server my.cnf file:require_secure_transport系统变量。例如,将以下行放入服务器my.cnf文件中:
[mysqld] require_secure_transport=ON
Alternatively, to set and persist the value at runtime, use this statement:或者,要在运行时设置并持久化该值,请使用以下语句:
SET PERSIST require_secure_transport=ON;
SET PERSIST sets the value for the running MySQL instance. It also saves the value, causing it to be used for subsequent server restarts. See Section 13.7.6.1, “SET Syntax for Variable Assignment”.SET PERSIST设置正在运行的MySQL实例的值。它还保存了该值,使其用于后续的服务器重启。请参阅第13.7.6.1节,“变量赋值的SET语法”。
With 启用require_secure_transport enabled, client connections to the server are required to use some form of secure transport, and the server permits only TCP/IP connections that use SSL, or connections that use a socket file (on Unix) or shared memory (on Windows). require_secure_transport后,到服务器的客户端连接需要使用某种形式的安全传输,服务器只允许使用SSL的TCP/IP连接,或使用套接字文件(在Unix上)或共享内存(在Windows上)的连接。The server rejects nonsecure connection attempts, which fail with an 服务器拒绝不安全的连接尝试,这些尝试会失败,并出现ER_SECURE_TRANSPORT_REQUIRED error.ER_SECURE_TRANSPORT_REQUIRED错误。
To invoke a client program such that it requires an encrypted connection whether or not the server requires encryption, use an 要调用客户端程序,使其需要加密连接,无论服务器是否需要加密,请使用--ssl-mode option value of REQUIRED, VERIFY_CA, or VERIFY_IDENTITY. For example:--ssl-mode选项值REQUIRED、VERIFY_CA或VERIFY_IDENTITY。例如:
mysql --ssl-mode=REQUIRED mysqldump --ssl-mode=VERIFY_CA mysqladmin --ssl-mode=VERIFY_IDENTITY
To configure a MySQL account to be usable only over encrypted connections, include a 要将MySQL帐户配置为仅在加密连接上可用,请在创建帐户的REQUIRE clause in the CREATE USER statement that creates the account, specifying in that clause the encryption characteristics you require. CREATE USER语句中包含一个REQUIRE子句,在该子句中指定所需的加密特性。For example, to require an encrypted connection and the use of a valid X.509 certificate, use 例如,要要求加密连接和使用有效的X.509证书,请使用REQUIRE X509:REQUIRE X509:
CREATE USER 'jeffrey'@'localhost' REQUIRE X509;
For additional information about the 有关REQUIRE clause, see Section 13.7.1.3, “CREATE USER Statement”.REQUIRE子句的更多信息,请参阅第13.7.1.3节,“CREATE USER语句”。
To modify existing accounts that have no encryption requirements, use the 要修改没有加密要求的现有帐户,请使用ALTER USER statement.ALTER USER语句。