MySQL supports multiple TLS protocols and ciphers, and enables configuring which protocols and ciphers to permit for encrypted connections. It is also possible to determine which protocol and cipher the current session uses.MySQL支持多种TLS协议和密码,并允许配置允许加密连接的协议和密码。还可以确定当前会话使用哪种协议和密码。
MySQL supports encrypted connections using the TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3 protocols, listed in order from less secure to more secure. The set of protocols actually permitted for connections is subject to multiple factors:MySQL支持使用TLSv1、TLSv1.1、TLSv1.2和TLSv1.3协议的加密连接,按安全性从低到高的顺序列出。实际允许连接的协议集受多种因素的影响:
MySQL configuration. Permitted TLS protocols can be configured on both the server side and client side to include only a subset of the supported TLS protocols. MySQL配置。允许的TLS协议可以在服务器端和客户端上配置,以仅包括支持的TLS协议的一个子集。The configuration on both sides must include at least one protocol in common or connection attempts cannot negotiate a protocol to use. For details, see Connection TLS Protocol Negotiation.双方的配置必须至少包含一个共同的协议,否则连接尝试无法协商要使用的协议。有关详细信息,请参阅连接TLS协议协商。
System-wide host configuration. The host system may permit only certain TLS protocols, which means that MySQL connections cannot use nonpermitted protocols even if MySQL itself permits them:全系统主机配置。主机系统可能只允许某些TLS协议,这意味着MySQL连接不能使用不允许的协议,即使MySQL本身允许它们:
Suppose that MySQL configuration permits TLSv1, TLSv1.1, and TLSv1.2, but your host system configuration permits only connections that use TLSv1.2 or higher. 假设MySQL配置允许TLSv1、TLSv1.1和TLSv1.2,但您的主机系统配置只允许使用TLSv1.2或更高版本的连接。In this case, you cannot establish MySQL connections that use TLSv1 or TLSv1.1, even though MySQL is configured to permit them, because the host system does not permit them.在这种情况下,您无法建立使用TLSv1或TLSv1.1的MySQL连接,即使MySQL配置为允许它们,因为主机系统不允许它们。
If MySQL configuration permits TLSv1, TLSv1.1, and TLSv1.2, but your host system configuration permits only connections that use TLSv1.3 or higher, you cannot establish MySQL connections at all, because no protocol permitted by MySQL is permitted by the host system.如果MySQL配置允许TLSv1、TLSv1.1和TLSv1.2,但您的主机系统配置只允许使用TLSv1.3或更高版本的连接,则根本无法建立MySQL连接,因为主机系统不允许MySQL允许的协议。
Workarounds for this issue include:解决此问题的方法包括:
Change the system-wide host configuration to permit additional TLS protocols. Consult your operating system documentation for instructions. 更改系统范围的主机配置以允许其他TLS协议。有关说明,请参阅操作系统文档。For example, your system may have an 例如,您的系统可能有一个/etc/ssl/openssl.cnf file that contains these lines to restrict TLS protocols to TLSv1.2 or higher:/etc/ssl/openssl.cnf文件,其中包含以下行,用于将TLS协议限制为TLSv1.2或更高版本:
[system_default_sect] MinProtocol = TLSv1.2
Changing the value to a lower protocol version or 将该值更改为较低的协议版本或None makes the system more permissive. This workaround has the disadvantage that permitting lower (less secure) protocols may have adverse security consequences.None会使系统更加宽松。这种解决方法的缺点是,允许较低(安全性较低)的协议可能会产生不利的安全后果。
If you cannot or prefer not to change the host system TLS configuration, change MySQL applications to use higher (more secure) TLS protocols that are permitted by the host system. This may not be possible for older versions of MySQL that support only lower protocol versions. 如果您不能或不想更改主机系统的TLS配置,请更改MySQL应用程序以使用主机系统允许的更高(更安全)的TLS协议。对于只支持较低协议版本的MySQL旧版本,这可能是不可能的。For example, TLSv1 is the only supported protocol prior to MySQL 5.6.46, so attempts to connect to a pre-5.6.46 server fail even if the client is from a newer MySQL version that supports higher protocol versions. 例如,TLSv1是MySQL 5.6.46之前唯一支持的协议,因此即使客户端来自支持更高协议版本的较新MySQL版本,尝试连接到5.6.46以前的服务器也会失败。In such cases, an upgrade to a version of MySQL that supports additional TLS versions may be required.在这种情况下,可能需要升级到支持其他TLS版本的MySQL版本。
The SSL library. If the SSL library does not support a particular protocol, neither does MySQL, and any parts of the following discussion that specify that protocol do not apply.SSL库。如果SSL库不支持特定协议,MySQL也不支持,以下讨论中指定该协议的任何部分都不适用。
Support for the TLSv1.3 protocol is available as of MySQL 8.0.16 (as of MySQL 8.0.18 for the Group Replication component). In addition, to use TLSv1.3, both the MySQL server and the client application must be compiled using OpenSSL 1.1.1 or higher.MySQL 8.0.16开始支持TLSv1.3协议(MySQL 8.0.18开始支持组复制组件)。此外,要使用TLSv1.3,MySQL服务器和客户端应用程序都必须使用OpenSSL 1.1.1或更高版本进行编译。
On the server side, the value of the 在服务器端,tls_version system variable determines which TLS protocols a MySQL server permits for encrypted connections. tls_version系统变量的值决定了MySQL服务器允许哪些tls协议用于加密连接。The tls_version value applies to connections from clients, regular source/replica replication connections where this server instance is the source, Group Replication group communication connections, and Group Replication distributed recovery connections where this server instance is the donor. tls_version值适用于来自客户端的连接、此服务器实例作为源的常规源/副本复制连接、组复制组通信连接以及此服务器实例为施主的组复制分布式恢复连接。The administrative connection interface is configured similarly, but uses the 管理连接接口的配置类似,但使用admin_tls_version system variable (see Section 5.1.12.2, “Administrative Connection Management”). admin_tls_version系统变量(请参阅第5.1.12.2节,“管理连接管理”)。This discussion applies to 此讨论也适用于admin_tls_version as well.admin_tls_version。
The tls_version value is a list of one or more comma-separated protocol versions from this list (not case-sensitive): TLSv1, TLSv1.1, TLSv1.2, and (if available) TLSV1.3. By default, this variable lists all protocols supported by the SSL library used to compile MySQL. tls_version值是此列表中一个或多个逗号分隔的协议版本的列表(不区分大小写):TLSv1、TLSv1.1、TLSv1.2和(如果可用)TLSv1.3。默认情况下,此变量列出了用于编译MySQL的SSL库支持的所有协议。To determine the value of 要在运行时确定tls_version at runtime, use this statement:tls_version的值,请使用以下语句:
mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------------+
| Variable_name | Value |
+---------------+-----------------------+
| tls_version | TLSv1,TLSv1.1,TLSv1.2 |
+---------------+-----------------------+
To change the value of 要更改tls_version, set it at server startup. tls_version的值,请在服务器启动时设置它。For example, to permit connections that use the TLSv1.1 or TLSv1.2 protocol, but prohibit connections that use the less-secure TLSv1 protocol, use these lines in the server 例如,要允许使用TLSv1.1或TLSv1.2协议的连接,但禁止使用不太安全的TLSv1协议的连接。请在服务器my.cnf file:my.cnf文件中使用以下行:
[mysqld] tls_version=TLSv1.1,TLSv1.2
To be even more restrictive and permit only TLSv1.2 connections, set 为了更严格地限制并只允许TLSv1.2连接,请按如下方式设置tls_version like this:tls_version:
[mysqld] tls_version=TLSv1.2
As of MySQL 8.0.16, 从MySQL 8.0.16开始,tls_version也可以在运行时更改。请参阅加密连接的服务器端运行时配置和监视。tls_version can also be changed at runtime. See Server-Side Runtime Configuration and Monitoring for Encrypted Connections.
As of MySQL 8.0.26, the TLSv1 and TLSv1.1 connection protocols are deprecated and support for them is subject to removal in a future version of MySQL. See Deprecated TLS Protocols.从MySQL 8.0.26开始,TLSv1和TLSv1.1连接协议已被弃用,在MySQL的未来版本中,对它们的支持可能会被删除。请参阅弃用的TLS协议。
On the client side, the 在客户端,--tls-version option specifies which TLS protocols a client program permits for connections to the server. --tls-version选项指定客户端程序允许哪些tls协议连接到服务器。The format of the option value is the same as for the 选项值的格式与前面描述的tls_version system variable described previously (a list of one or more comma-separated protocol versions).tls_version系统变量的格式相同(一个或多个逗号分隔的协议版本的列表)。
For source/replica replication connections where this server instance is the replica, the 对于此服务器实例为副本的源/副本复制连接,SOURCE_TLS_VERSION | MASTER_TLS_VERSION option for the CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23) or CHANGE MASTER TO statement (before MySQL 8.0.23) specifies which TLS protocols the replica permits for connections to the source. CHANGE REPLICATION SOURCE TO语句(来自MySQL 8.0.23)或CHANGE MASTER TO语句(MySQL 8.0.22之前)的SOURCE_TLS_VERSION | MASTER _TLS_VERSION选项指定了副本允许连接到源的TLS协议。The format of the option value is the same as for the 选项值的格式与前面描述的tls_version system variable described previously. tls_version系统变量的格式相同。See Section 17.3.1, “Setting Up Replication to Use Encrypted Connections”.请参阅第17.3.1节,“设置复制以使用加密连接”。
The protocols that can be specified for 可以为SOURCE_TLS_VERSION | MASTER_TLS_VERSION depend on the SSL library. SOURCE_TLS_VERSION | MASTER_TLS_VERSION指定的协议取决于SSL库。This option is independent of and not affected by the server 此选项独立于服务器tls_version value. tls_version值,不受其影响。For example, a server that acts as a replica can be configured with 例如,充当副本的服务器可以配置为tls_version set to TLSv1.3 to permit only incoming connections that use TLSv1.3, but also configured with SOURCE_TLS_VERSION | MASTER_TLS_VERSION set to TLSv1.2 to permit only TLSv1.2 for outgoing replica connections to the source.tls_version设置为TLSv1.3,只允许使用TLSv1.3的传入连接,也可以配置为SOURCE_TLS_VERSION | MASTER_TLS_VERSION设置为TLSv1.2,只允许TLSv1.2用于到源的传出副本连接。
For Group Replication distributed recovery connections where this server instance is the joining member that initiates distributed recovery (that is, the client), the 对于组复制分布式恢复连接,其中此服务器实例是启动分布式恢复的加入成员(即客户端),group_replication_recovery_tls_version system variable specifies which protocols are permitted by the client. group_replication_recovery_tls_version系统变量指定客户端允许哪些协议。This option is independent of and not affected by the server 此选项独立于服务器tls_version value, which applies when this server instance is the donor. tls_version值,不受其影响,当此服务器实例是施主时,该值适用。A Group Replication server generally participates in distributed recovery both as a donor and as a joining member over the course of its group membership, so both these system variables should be set. 组复一致性务器通常在其组成员身份过程中以捐赠者和加入成员的身份参与分布式恢复,因此应设置这两个系统变量。See Section 18.6.2, “Securing Group Communication Connections with Secure Socket Layer (SSL)”.请参阅第18.6.2节,“使用安全套接字层(SSL)保护组通信连接”。
TLS protocol configuration affects which protocol a given connection uses, as described in Connection TLS Protocol Negotiation.TLS协议配置会影响给定连接使用的协议,如连接TLS协议协商中所述。
Permitted protocols should be chosen such as not to leave “holes” in the list. For example, these server configuration values do not have holes:应选择允许的协议,以免在列表中留下“漏洞”。例如,这些服务器配置值没有漏洞:
tls_version=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 tls_version=TLSv1.1,TLSv1.2,TLSv1.3 tls_version=TLSv1.2,TLSv1.3 tls_version=TLSv1.3
These values do have holes and should not be used:这些值确实有孔,不应使用:
tls_version=TLSv1,TLSv1.2(TLSv1.1 is missing)tls_version=TLSv1.1,TLSv1.3(TLSv1.2 is missing)
The prohibition on holes also applies in other configuration contexts, such as for clients or replicas.对漏洞的禁止也适用于其他配置环境,例如客户端或副本。
Unless you intend to disable encrypted connections, the list of permitted protocols should not be empty. If you set a TLS version parameter to the empty string, encrypted connections cannot be established:除非您打算禁用加密连接,否则允许的协议列表不应为空。如果将TLS版本参数设置为空字符串,则无法建立加密连接:
tls_version: The server does not permit encrypted incoming connections.:服务器不允许加密的传入连接。
--tls-version: The client does not permit encrypted outgoing connections to the server.:客户端不允许与服务器进行加密的传出连接。
SOURCE_TLS_VERSION | MASTER_TLS_VERSION: The replica does not permit encrypted outgoing connections to the source.:副本不允许与源进行加密的传出连接。
group_replication_recovery_tls_version: The joining member does not permit encrypted connections to the distributed recovery connection.:加入成员不允许加密连接到分布式恢复连接。
As of MySQL 8.0.26, the TLSv1 and TLSv1.1 connection protocols are deprecated and support for them is subject to removal in a future MySQL version. 从MySQL 8.0.26开始,TLSv1和TLSv1.1连接协议已弃用,在未来的MySQL版本中可能会删除对它们的支持。(For background, refer to the IETF memo Deprecating TLSv1.0 and TLSv1.1.) (有关背景,请参阅IETF备忘录《弃用TLSv1.0和TLSv1.1》。)It is recommended that connections be made using the more-secure TLSv1.2 and TLSv1.3 protocols. TLSv1.3 requires that both the MySQL server and the client application be compiled with OpenSSL 1.1.1 or higher.建议使用更安全的TLSv1.2和TLSv1.3协议进行连接。TLSv1.3要求MySQL服务器和客户端应用程序都使用OpenSSL 1.1.1或更高版本进行编译。
On the server side, this deprecation has the following effects:在服务器端,这种弃用具有以下影响:
If the 如果在服务器启动期间为tls_version or admin_tls_version system variable is assigned a value containing a deprecated TLS protocol during server startup, the server produces a warning for each deprecated protocol:tls_version或admin_tls_version系统变量分配了一个包含弃用tls协议的值,则服务器会为每个弃用协议生成警告:
If the assignment occurs during server startup, the warning appears in the error log.如果分配发生在服务器启动期间,则警告将出现在错误日志中。
If the assignment occurs at runtime, the warning is added to the result of executing the 如果分配发生在运行时,则警告将添加到执行ALTER INSTANCE RELOAD TLS statement.ALTER INSTANCE RELOAD TLS语句的结果中。
If a client successfully connects using a deprecated TLS protocol, the server writes a warning to the error log.如果客户端使用弃用的TLS协议成功连接,服务器会在错误日志中写入警告。
On the client side, the deprecation has no visible effect. Clients do not issue a warning if configured to permit a deprecated TLS protocol. This includes:在客户端,弃用没有明显的效果。如果配置为允许弃用的TLS协议,客户端不会发出警告。这包括:
Client programs that support a 支持--tls-version option for specifying TLS protocols for connections to the MySQL server.--tls-version选项的客户端程序,用于为MySQL服务器的连接指定tls协议。
Statements that enable replicas to specify TLS protocols for connections to the source server. 允许副本为连接到源服务器指定TLS协议的语句。((CHANGE REPLICATION SOURCE TO has a SOURCE_TLS_VERSION option and CHANGE MASTER TO has a MASTER_TLS_VERSION option.)CHANGE REPLICATION SOURCE TO具有SOURCE_TLS_VERSION选项,CHANGE MASTER TO具有MASTER_TLS_VERSION选项。)
The group_replication_recovery_tls_version system variable that enables joining members to specify TLS protocols for distributed recovery connections.group_replication_recovery_tls_version系统变量,使加入成员能够为分布式恢复连接指定tls协议。
A default set of ciphers applies to encrypted connections, which can be overridden by explicitly configuring the permitted ciphers. During connection establishment, both sides of a connection must permit some cipher in common or the connection fails. 默认密码集适用于加密连接,可以通过显式配置允许的密码来覆盖。在连接建立过程中,连接的双方必须允许一些共同的密码,否则连接将失败。Of the permitted ciphers common to both sides, the SSL library chooses the one supported by the provided certificate that has the highest priority.在双方通用的允许密码中,SSL库选择所提供证书支持的具有最高优先级的密码。
To specify a cipher or ciphers applicable for encrypted connections that use TLS protocols up through TLSv1.2:要指定适用于使用TLS协议至TLSv1.2的加密连接的一个或多个密码:
Set the 在服务器端设置ssl_cipher system variable on the server side, and use the --ssl-cipher option for client programs.ssl_cipher系统变量,并对客户端程序使用--sslcipher选项。
For regular source/replica replication connections, where this server instance is the source, set the 对于以该服务器实例为源的常规源/副本复制连接,设置ssl_cipher system variable. ssl_cipher系统变量。Where this server instance is the replica, use the 如果此服务器实例是副本,请对SOURCE_SSL_CIPHER | MASTER_SSL_CIPHER option for the CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23) or CHANGE MASTER TO statement (before MySQL 8.0.23). CHANGE REPLICATION SOURCE TO语句(来自MySQL 8.0.23)或CHANGE MASTER TO语句(在MySQL 8.0.22之前)使用SOURCE_SSL_CIPHER | MASTER _SSL_CIPVER选项。See Section 17.3.1, “Setting Up Replication to Use Encrypted Connections”.请参阅第17.3.1节,“设置复制以使用加密连接”。
For a Group Replication group member, for Group Replication group communication connections and also for Group Replication distributed recovery connections where this server instance is the donor, set the 对于组复制组成员、组复制组通信连接以及此服务器实例为施主的组复制分布式恢复连接,请设置ssl_cipher system variable. ssl_cipher系统变量。For Group Replication distributed recovery connections where this server instance is the joining member, use the 对于此服务器实例为加入成员的组复制分布式恢复连接,请使用group_replication_recovery_ssl_cipher system variable. group_replication_recovery_ssl_cipher系统变量。See Section 18.6.2, “Securing Group Communication Connections with Secure Socket Layer (SSL)”.请参阅第18.6.2节,“使用安全套接字层(SSL)保护组通信连接”。
For encrypted connections that use TLSv1.3, OpenSSL 1.1.1 and higher supports the following ciphersuites, the first three of which are enabled by default:对于使用TLSv1.3的加密连接,OpenSSL 1.1.1和更高版本支持以下密码套件,默认情况下启用前三个密码套件:
TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256
To configure the permitted TLSv1.3 ciphersuites explicitly, set the following parameters. In each case, the configuration value is a list of zero or more colon-separated ciphersuite names.要显式配置允许的TLSv1.3密码套件,请设置以下参数。在每种情况下,配置值都是零个或多个冒号分隔的密码套件名称的列表。
On the server side, use the 在服务器端,使用tls_ciphersuites system variable. tls_cryptosuites系统变量。If this variable is not set, its default value is 如果未设置此变量,则其默认值为NULL, which means that the server permits the default set of ciphersuites. If the variable is set to the empty string, no ciphersuites are enabled and encrypted connections cannot be established.NULL,这意味着服务器允许默认的密码套件集。如果变量设置为空字符串,则不会启用任何密码套件,也无法建立加密连接。
On the client side, use the 在客户端,使用--tls-ciphersuites option. If this option is not set, the client permits the default set of ciphersuites. --tls-ciphersuites选项。如果未设置此选项,则客户端允许使用默认的密码套件集。If the option is set to the empty string, no ciphersuites are enabled and encrypted connections cannot be established.如果该选项设置为空字符串,则不会启用任何密码套件,也无法建立加密连接。
For regular source/replica replication connections, where this server instance is the source, use the 对于以该服务器实例为源的常规源/副本复制连接,请使用tls_ciphersuites system variable. tls_cryptosuites系统变量。Where this server instance is the replica, use the 如果此服务器实例是副本,请对SOURCE_TLS_CIPHERSUITES | MASTER_TLS_CIPHERSUITES option for the CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23) or CHANGE MASTER TO statement (before MySQL 8.0.23). CHANGE REPLICATION SOURCE TO语句(来自MySQL 8.0.23)或CHANGE MASTER TO语句(MySQL 8.0.22之前)使用SOURCE_TLS_CIPHERSUITES | MASTER_TLS_CIPHERSUITES选项。See Section 17.3.1, “Setting Up Replication to Use Encrypted Connections”.请参阅第17.3.1节,“设置复制以使用加密连接”。
For a Group Replication group member, for Group Replication group communication connections and also for Group Replication distributed recovery connections where this server instance is the donor, use the 对于组复制组成员、组复制组通信连接以及此服务器实例作为施主的组复制分布式恢复连接,请使用tls_ciphersuites system variable. tls_cryptosuites系统变量。For Group Replication distributed recovery connections where this server instance is the joining member, use the 对于此服务器实例为加入成员的组复制分布式恢复连接,请使用group_replication_recovery_tls_ciphersuites system variable. group_replication_recovery_tls_ciphersuites系统变量。See Section 18.6.2, “Securing Group Communication Connections with Secure Socket Layer (SSL)”.请参阅第18.6.2节,“使用安全套接字层(SSL)保护组通信连接”。
Ciphersuite support is available as of MySQL 8.0.16, but requires that both the MySQL server and the client application be compiled using OpenSSL 1.1.1 or higher.密码套件支持从MySQL 8.0.16开始提供,但要求MySQL服务器和客户端应用程序都使用OpenSSL 1.1.1或更高版本进行编译。
In MySQL 8.0.16 through 8.0.18, the 在MySQL 8.0.16到8.0.18中,group_replication_recovery_tls_ciphersuites system variable and the SOURCE_TLS_CIPHERSUITES | MASTER_TLS_CIPHERSUITES option for the CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23) or CHANGE MASTER TO statement (before MySQL 8.0.23) are not available. group_replication_recovery_tls_cryptosuites系统变量和CHANGE REPLICATION SOURCE TO语句(来自MySQL 8.0.23)或CHANGE MASTER TO语句(MySQL 8.0.22之前)的SOURCE_TLS_CIPHERSUITES | MASTER_TLS_CIPHERSUITES选项不可用。In these releases, if TLSv1.3 is used for source/replica replication connections, or in Group Replication for distributed recovery (supported from MySQL 8.0.18), the replication source or Group Replication donor servers must permit the use of at least one TLSv1.3 ciphersuite that is enabled by default. 在这些版本中,如果TLSv1.3用于源/副本复制连接,或在组复制中用于分布式恢复(MySQL 8.0.18支持),则复制源或组复制供体服务器必须允许使用至少一个默认启用的TLSv1.3密码套件。From MySQL 8.0.19, you can use the options to configure client support for any selection of ciphersuites, including only non-default ciphersuites if you want.从MySQL 8.0.19开始,您可以使用这些选项为任何选择的密码套件配置客户端支持,如果需要,只包括非默认密码套件。
A given cipher may work only with particular TLS protocols, which affects the TLS protocol negotiation process. 给定的密码可能只适用于特定的TLS协议,这会影响TLS协议协商过程。See Connection TLS Protocol Negotiation.请参阅连接TLS协议协商。
To determine which ciphers a given server supports, check the session value of the 要确定给定服务器支持哪些密码,请检查Ssl_cipher_list status variable:Ssl_cipher_list状态变量的会话值:
SHOW SESSION STATUS LIKE 'Ssl_cipher_list';
The Ssl_cipher_list status variable lists the possible SSL ciphers (empty for non-SSL connections). Ssl_cipher_list状态变量列出了可能的Ssl密码(非Ssl连接为空)。If MySQL supports TLSv1.3, the value includes the possible TLSv1.3 ciphersuites.如果MySQL支持TLSv1.3,则该值包括可能的TLSv1.3密码套件。
For encrypted connections that use TLS.v1.3, MySQL uses the SSL library default ciphersuite list.对于使用TLSv1.3的加密连接,MySQL使用SSL库默认密码套件列表。
For encrypted connections that use TLS protocols up through TLSv1.2, MySQL passes the following default cipher list to the SSL library.对于通过TLSv1.2使用TLS协议的加密连接,MySQL会将以下默认密码列表传递给SSL库。
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-DSS-AES128-SHA DHE-RSA-AES128-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 DH-DSS-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 AES256-GCM-SHA384 DH-DSS-AES256-GCM-SHA384 ECDH-ECDSA-AES256-GCM-SHA384 AES128-SHA256 DH-DSS-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 AES256-SHA256 DH-DSS-AES256-SHA256 ECDH-ECDSA-AES256-SHA384 AES128-SHA DH-DSS-AES128-SHA ECDH-ECDSA-AES128-SHA AES256-SHA DH-DSS-AES256-SHA ECDH-ECDSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DH-RSA-AES128-GCM-SHA256 ECDH-RSA-AES128-GCM-SHA256 DH-RSA-AES256-GCM-SHA384 ECDH-RSA-AES256-GCM-SHA384 DH-RSA-AES128-SHA256 ECDH-RSA-AES128-SHA256 DH-RSA-AES256-SHA256 ECDH-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-DSS-AES128-SHA DHE-RSA-AES128-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA AES128-SHA DH-DSS-AES128-SHA ECDH-ECDSA-AES128-SHA AES256-SHA DH-DSS-AES256-SHA ECDH-ECDSA-AES256-SHA DH-RSA-AES128-SHA ECDH-RSA-AES128-SHA DH-RSA-AES256-SHA ECDH-RSA-AES256-SHA DES-CBC3-SHA
These cipher restrictions are in place:这些密码限制已经到位:
The following ciphers are permanently restricted:以下密码受到永久限制:
!DHE-DSS-DES-CBC3-SHA !DHE-RSA-DES-CBC3-SHA !ECDH-RSA-DES-CBC3-SHA !ECDH-ECDSA-DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA !ECDHE-ECDSA-DES-CBC3-SHA
The following categories of ciphers are permanently restricted:以下类别的密码受到永久限制:
!aNULL !eNULL !EXPORT !LOW !MD5 !DES !RC2 !RC4 !PSK !SSLv3
If the server is started with the 如果服务器启动时ssl_cert system variable set to a certificate that uses any of the preceding restricted ciphers or cipher categories, the server starts with support for encrypted connections disabled.ssl_cert系统变量设置为使用任何前述受限密码或密码类别的证书,则服务器启动时将禁用对加密连接的支持。
Connection attempts in MySQL negotiate use of the highest TLS protocol version available on both sides for which a protocol-compatible encryption cipher is available on both sides. The negotiation process depends on factors such as the SSL library used to compile the server and client, the TLS protocol and encryption cipher configuration, and which key size is used:MySQL中的连接尝试协商使用双方可用的最高TLS协议版本,双方都有协议兼容的加密密码。协商过程取决于多种因素,如用于编译服务器和客户端的SSL库、TLS协议和加密密码配置,以及使用的密钥大小:
For a connection attempt to succeed, the server and client TLS protocol configuration must permit some protocol in common.为了使连接尝试成功,服务器和客户端的TLS协议配置必须允许某些共同的协议。
Similarly, the server and client encryption cipher configuration must permit some cipher in common. A given cipher may work only with particular TLS protocols, so a protocol available to the negotiation process is not chosen unless there is also a compatible cipher.同样,服务器和客户端加密密码配置必须允许一些共同的密码。给定的密码可能只适用于特定的TLS协议,因此除非还有兼容的密码,否则不会选择可用于协商过程的协议。
If TLSv1.3 is available, it is used if possible. (This means that server and client configuration both must permit TLSv1.3, and both must also permit some TLSv1.3-compatible encryption cipher.) 如果TLSv1.3可用,则尽可能使用它。(这意味着服务器和客户端配置都必须允许TLSv1.3,并且都必须允许一些与TLSv1.3兼容的加密密码。)Otherwise, MySQL continues through the list of available protocols, using TLSv1.2 if possible, and so forth. Negotiation proceeds from more secure protocols to less secure. Negotiation order is independent of the order in which protocols are configured. 否则,MySQL将继续浏览可用协议列表,如果可能的话使用TLSv1.2,依此类推。协商从更安全的协议转向更不安全的协议。协商顺序与协议的配置顺序无关。For example, negotiation order is the same regardless of whether 例如,无论tls_version has a value of TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 or TLSv1.3,TLSv1.2,TLSv1.1,TLSv1.tls_version的值是TLSv1,TLSv1.1,TLSv1.2,TLSv1.3还是TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,协商顺序都是相同的。
TLSv1.2 does not work with all ciphers that have a key size of 512 bits or less. TLSv1.2不适用于密钥大小为512位或更小的所有密码。To use this protocol with such a key, set the 要将此协议与这样的密钥一起使用,请在服务器端设置ssl_cipher system variable on the server side or use the --ssl-cipher client option to specify the cipher name explicitly:ssl_cipher系统变量,或使用--ssl-cipher客户端选项显式指定密码名称:
AES128-SHA AES128-SHA256 AES256-SHA AES256-SHA256 CAMELLIA128-SHA CAMELLIA256-SHA DES-CBC3-SHA DHE-RSA-AES256-SHA RC4-MD5 RC4-SHA SEED-SHA
For better security, use a certificate with an RSA key size of at least 2048 bits.为了提高安全性,请使用RSA密钥大小至少为2048位的证书。
If the server and client do not have a permitted protocol in common, and a protocol-compatible cipher in common, the server terminates the connection request. Examples:如果服务器和客户端没有共同的许可协议,也没有共同的协议兼容密码,则服务器终止连接请求。示例:
If the server is configured with 如果服务器配置了tls_version=TLSv1.1,TLSv1.2:tls_version=TLSv1.1,TLSv1.2:
Connection attempts fail for clients invoked with 对于使用--tls-version=TLSv1, and for older clients that support only TLSv1.--tls-version=TLSv1调用的客户端以及仅支持TLSv1的旧客户端,连接尝试失败。
Similarly, connection attempts fail for replicas configured with 同样,对于配置为MASTER_TLS_VERSION = 'TLSv1', and for older replicas that support only TLSv1.MASTER_TLS_VERSION = 'TLSv1'的副本以及仅支持TLSv1的旧副本,连接尝试也会失败。
If the server is configured with 如果服务器配置了tls_version=TLSv1 or is an older server that supports only TLSv1:tls_version=TLSv1,或者是只支持TLSv1的旧服务器:
Connection attempts fail for clients invoked with 对于使用--tls-version=TLSv1.1,TLSv1.2.--tls-version=TLSv1.1,TLSv1.2调用的客户端,连接尝试失败。
Similarly, connection attempts fail for replicas configured with 同样,对于配置为MASTER_TLS_VERSION = 'TLSv1.1,TLSv1.2'.MASTER_TLS_VERSION = 'TLSv1.1,TLSv1.2'的副本,连接尝试失败。
MySQL permits specifying a list of protocols to support. This list is passed directly down to the underlying SSL library and is ultimately up to that library what protocols it actually enables from the supplied list. MySQL允许指定要支持的协议列表。此列表直接传递给底层SSL库,并最终取决于该库从提供的列表中实际启用的协议。Please refer to the MySQL source code and the OpenSSL 有关SSL库如何处理此问题的信息,请参阅MySQL源代码和OpenSSL SSL_CTX_new() documentation for information about how the SSL library handles this.SSL_CTX_new()文档。
To determine which encryption TLS protocol and cipher the current client session uses, check the session values of the 要确定当前客户端会话使用哪种加密TLS协议和密码,请检查Ssl_version and Ssl_cipher status variables:Ssl_version和Ssl_cipher状态变量的会话值:
mysql>SELECT * FROM performance_schema.session_statusWHERE VARIABLE_NAME IN ('Ssl_version','Ssl_cipher');+---------------+---------------------------+ | VARIABLE_NAME | VARIABLE_VALUE | +---------------+---------------------------+ | Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 | | Ssl_version | TLSv1.2 | +---------------+---------------------------+
If the connection is not encrypted, both variables have an empty value.如果连接未加密,则两个变量都有空值。