如何配置支持ssl连接的mysql

1. 安装 OpenSSL:

下载 OpenSSL Version 0.9.6 (www.openssl.org)

shell> zcat 0.96l.tar.gz | tar xvf -

shell> ./config

shell> make

shell> make install

2. 安装 MySQL:

下载 MySQL Version 4.0.14 Source (mysql-4.0.14.tar.gz)

shell> groupadd mysql

shell> useradd -g mysql mysql

shell> gunzip < mysql-VERSION.tar.gz | tar -xvf -

shell> cd mysql-VERSION

shell> ./configure --prefix=/usr/local/mysql --with –openssl --with -vio

shell> make

shell> make install

shell> cp support-files/my-medium.cnf /etc/my.cnf

shell> cd /usr/local/mysql

shell> bin/mysql_install_db --user=mysql

shell> chown -R root .

shell> chown -R mysql var

shell> chgrp -R mysql .

shell> bin/mysqld_safe --user=mysql &

3. 修改mysql密码及访问权限　(根据需要。可能造成安全问题)

shell>cd /usr/local/mysql/bin/

shell>./mysql -u root –p

mysql>INSERT INTO mysql.user VALUES ('%','root', PASSWORD

('1qw23e'),'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y

','Y','','','','',0,0,0,0);

4. 生成SSL证书

DIR=`pwd`/openssl

PRIV=$DIR/private

mkdir $DIR $PRIV $DIR/newcerts

cp /usr/share/ssl/openssl.cnf $DIR

replace ./demoCA $DIR -- $DIR/openssl.cnf

# Create necessary files: $database, $serial and $new_certs_dir

# directory (optional)

touch $DIR/index.txt

echo "01" > $DIR/serial

# Generation of Certificate Authority(CA)

openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \

-config $DIR/openssl.cnf

Note : if you were requested to enter "PEM pass", please enter different "PEM pass" in the following steps.

# Create server request and key

openssl req -new -keyout $DIR/server-key.pem -out \

$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

# Remove the passphrase from the key (optional)

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

# Sign server cert

openssl ca -policy policy_anything -out $DIR/server-cert.pem \

-config $DIR/openssl.cnf -infiles $DIR/server-req.pem

# Create client request and key

openssl req -new -keyout $DIR/client-key.pem -out \

$DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf

# Remove a passphrase from the key (optional)

openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem

# Sign client cert

openssl ca -policy policy_anything -out $DIR/client-cert.pem \

-config $DIR/openssl.cnf -infiles $DIR/client-req.pem

5. 修改选项文件

/etc/my.cnf

[client]

ssl-ca=$DIR/cacert.pem

ssl-cert=$DIR/client-cert.pem

ssl-key=$DIR/client-key.pem

[mysqld]

ssl-ca=$DIR/cacert.pem

ssl-cert=$DIR/server-cert.pem

ssl-key=$DIR/server-key.pem

6. 测试启动mysql

$DIR 是选项文件my.cnf 的路径

shell> mysqld --defaults-file=$DIR/my.cnf &

Then invoke a client program using the same option file:

shell> mysql --defaults-file=$DIR/my.cnf

执行以下语句，如果返回以下结果，安装完全成功

mysql> SHOW VARIABLES LIKE 'have_openssl';

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl | YES |

+---------------+-------+

7. 启动MySQLdaemon

/usr/local/libexec/mysqld -u mysql & 或者/usr/local/sbin/mysqld &