* Received following error while I locally try to connect to mysql server over SSL.
[root@]# mysql --ssl-cert=/var/lib/mysql/openssl-md5/ca-cert.pem --ssl-key=/var/lib/mysql/openssl-md5/client-key.pem --ssl-cert=/var/lib/mysql/openssl-md5/client-cert.pem -u root -p -v -v -v
Enter password:
ERROR 2026 (HY000): SSL connection error
My used environment
* Red Hat Enterprise Linux 5.7
Required packages :
* perl-DBD-MySQL-3.0007-2.el5
perl-DBI-1.52-2.el5
mysql-server-5.0.77-4.el5_6.6
mysql-5.0.77-4.el5_6.6
mysql-5.0.77-4.el5_6.6
Resolution
1. Download all mysql related packages or use yum command to install the packages. You can use "rpm -ivh
2. Start mysql.
4. Change mysql root password
Example :
[root@ /]# rpm -ivh perl-DBI-1.52-2.el5.x86_64.rpm
warning: perl-DBI-1.52-2.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:perl-DBI ########################################### [100%]
[root@/]# rpm -ivh mysql-5.0.77-4.el5_6.6.i386.rpm << This is needed on 64 bit os
warning: mysql-5.0.77-4.el5_6.6.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:mysql ########################################### [100%]
[root@ /]# rpm -ivh mysql-5.0.77-4.el5_6.6.x86_64.rpm <<
warning: mysql-5.0.77-4.el5_6.6.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:mysql ########################################### [100%]
[root@ /]#
[root@ /]# rpm -ivh perl-DBD-MySQL-3.0007-2.el5.x86_64.rpm
warning: perl-DBD-MySQL-3.0007-2.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:perl-DBD-MySQL ########################################### [100%]
[root@/]#
[root@ /]# rpm -ivh mysql-server-5.0.77-4.el5_6.6.x86_64.rpm
warning: mysql-server-5.0.77-4.el5_6.6.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:mysql-server ########################################### [100%]
[root@ /
OR
$yum install mysql-server mysql
* Verify istalled packages :
$rpm -qa |egrep -i 'mysql|perl-DBD-MySQL|perl-DBI|mysql-server'
perl-DBD-MySQL-3.0007-2.el5
perl-DBI-1.52-2.el5
mysql-server-5.0.77-4.el5_6.6
mysql-5.0.77-4.el5_6.6
mysql-5.0.77-4.el5_6.6
* Start mysqld service :
$/etc/init.d/mysqld restart
Stopping MySQL: [FAILED]
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h dhcp209-14.gsslab.pnq.redhat.com password 'new-password'
Alternatively you can run:
/usr/bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
[ OK ]
Starting MySQL: [ OK ]
[root@]# /etc/init.d/mysqld status
mysqld (pid 15065) is running...
[root@]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.00 sec)
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)
mysql> quit
Bye
[root@dhcp209-14 /]# netstat -plan |grep :3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 15065/mysqld
[root@dhcp209-14 /]#
----------
mysql> show variables like '%%ssl%%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
mysql>
* Reset mysql root password :
$/usr/bin/mysqladmin -u root password 'mysql'
* Configurring SSL for mysql server and client(who will access server) :
$mkdir -p /etc/mysql/newcerts
$chown -R mysql:mysql /etc/mysql/newcerts
* Creating certificate autority :
$cd /etc/mysql/newcerts
$openssl genrsa 2048 > ca-key.pem
$openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
* Creating certificate for server using above CA certificate :
$openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
$openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
* Creating cerificate for client using above CA certificate(similar like server) :
$openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
$openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
* Make sure following entries are present in /etc/my.cnf file :
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
# Disabling symbolic-links is recommended to prevent assorted security risks;
# to do so, uncomment this line:
# symbolic-links=0
ssl # <
ssl-cert=/etc/mysql/newcerts/server-cert.pem # << Important
ssl-key=/etc/mysql/newcerts/server-key.pem # << Important
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
* Execute following commands (Used "mysql" password for user "mysql"):
$/etc/init.d/mysqld restart
$mysql -u root -p
$mysql> GRANT ALL ON *.* TO 'mysql'@'%' IDENTIFIED BY 'mysql' REQUIRE SSL;
* Testing :
$cd /etc/mysql/newcerts
$mysql --ssl-cert=ca-cert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem -u root -p -v -v -v
Enter password: << pw = mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.77 Source distribution
Reading history-file /root/.mysql_history
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> SHOW STATUS LIKE 'Ssl_cipher';
--------------
SHOW STATUS LIKE 'Ssl_cipher'
--------------
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA | <
1 row in set (0.00 sec)
mysql> show variables like '%%ssl%%';
--------------
show variables like '%%ssl%%'
--------------
+---------------+-------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------+
| have_openssl | YES | <
| ssl_capath | |
| ssl_cert | /etc/mysql/newcerts/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/newcerts/server-key.pem |
+---------------+-------------------------------------+
7 rows in set (0.01 sec)
mysql> quit
Writing history-file /root/.mysql_history
Bye
[root@]# mysql --ssl-cert=/etc/mysql/newcerts/ca-cert.pem --ssl-key=/etc/mysql/newcerts/client-key.pem --ssl-cert=/etc/mysql/newcerts/client-cert.pem -u root -p -v -v -v
Enter password: << pw = mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.77 Source distribution
Reading history-file /root/.mysql_history
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show variables like '%%ssl%%';
--------------
show variables like '%%ssl%%'
--------------
+---------------+-------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/newcerts/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/newcerts/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/newcerts/server-key.pem |
+---------------+-------------------------------------+
7 rows in set (0.01 sec)
mysql> SHOW STATUS LIKE 'Ssl_cipher';
--------------
SHOW STATUS LIKE 'Ssl_cipher'
--------------
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA | << Confirmed
+---------------+--------------------+
1 row in set (0.00 sec)
mysql>
mysql> quit
0 comments:
Post a Comment