使用TLS连接MySQL

将TLS与iTop一起使用

如果将iTop托管在与MySQL服务器不同的服务器上,并且使用共享的基础结构,那么您可能希望在应用程序和数据库之间使用加密。

一种方法是使用MySQL安全连接。参见官方文档:MySQL :: MySQL 5.6 Reference Manual :: 6.4 Using Encrypted Connections

从2.5版开始,iTop允许使用这些参数:

启用加密:db_tls.enabled

证书颁发机构文件:db_tls.ca

如果“ db_tls.ca”参数不为空且有效,则将在每个连接上进行服务器证书验证。默认情况下,iTop将使用MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT标志连接到MySQL(请参见http://php.net/manual/en/mysqli.real-connect.php),但是,如果指定了CA,则它将与MYSQLI_CLIENT_SSL标志连接。

在iTop中使用这种连接之前,需要检查配置。在phpinfo(调用setup / phpinfo.php)中,您应该在“ mysqlnd”部分中具有以下内容:

核心SSL:支持

扩展SSL:支持

Combodo也几乎不建议使用以下脚本测试链接:

mysql-tls-test.php

<?php <?php ('error_reporting', E_ALL); ('display_errors', '1'); (E_ALL|E_STRICT); (ASSERT_ACTIVE, true); (ASSERT_WARNING, true); (ASSERT_BAIL, true); $sMySqlHost = 'mysqlserver'; //TODO $iMySqlPort = 3306; $sMySqlUser = 'user'; //TODO $sMySqlPassword = 'password'; //TODO $iMySqlFlag = MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; $sTlsKey = '/var/mysql/client-key.pem'; //TODO fix right value, null if not used $sTlsCert = '/var/mysql/client-cert.pem'; //TODO fix right value, null if not used $sTlsCa = '/var/mysql/ca.pem'; //TODO fix right value, null if not used (($sTlsKey), 'Can\'t open SSL Key file'); (($sTlsCert), 'Can\'t open SSL Cert file'); (($sTlsCa), 'Can\'t open SSL CA file'); echo "Trying to connect using :\n host=$sMySqlHost, user=$sMySqlUser, port=$iMySqlPort\n"; echo "TLS options :\n key=$sTlsKey\n cert=$sTlsCert\n ca=$sTlsCa\n"; $oMysqli = new mysqli(); $oMysqli->init(); $oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, NULL, NULL); $oMysqli->real_connect($sMySqlHost, $sMySqlUser, $sMySqlPassword, null, $iMySqlPort, NULL, $iMySqlFlag); if ($oMysqli->connect_errno) { ('Connect error (' . () . '): ' . () . "\n"); } else { if (!IsOpenedDbConnectionUsingTls($oMysqli)) { $oMysqli->close(); ('The connection can be opened but is not TLS encrypted !'); } echo "Successfully connected using TLS !\n"; $sTlsCipherValue = GetMySqlVarValue($oMysqli, 'ssl_cipher'); $sTlsVersionValue = GetMySqlVarValue($oMysqli, 'ssl_version'); echo "TLS cipher=$sTlsCipherValue\n"; echo "TLS version=$sTlsVersionValue\n"; $oMysqli->close(); } /** * <p>A DB connection can be opened transparently (no errors thrown) without being encrypted, whereas the TLS * parameters were used.<br> * This method can be called to ensure that the DB connection really uses TLS. * * <p>We're using this object connection : {@link self::$m_oMysqli} * * @param \mysqli $oMysqli * * @return boolean true if the connection was really established using TLS * @throws \MySQLException * * @uses IsMySqlVarNonEmpty */ function IsOpenedDbConnectionUsingTls($oMysqli) { $bNonEmptySslVersionVar = IsMySqlVarNonEmpty($oMysqli, 'ssl_version'); $bNonEmptySslCipherVar = IsMySqlVarNonEmpty($oMysqli, 'ssl_cipher'); return ($bNonEmptySslVersionVar && $bNonEmptySslCipherVar); } /** * @param \mysqli $oMysqli * @param string $sVarName * * @return bool * @throws \MySQLException * * @uses GetMySqlVarValue */ function IsMySqlVarNonEmpty($oMysqli, $sVarName) { $sResult = GetMySqlVarValue($oMysqli, $sVarName); return (!($sResult)); } /** * @param \mysqli $oMysqli * @param string $sVarName * * @return string * @throws \MySQLException * * @uses 'SHOW STATUS' queries */ function GetMySqlVarValue($oMysqli, $sVarName) { $oResults = $oMysqli->query("SHOW SESSION STATUS LIKE '$sVarName'", 1); if ($oResults === false) { return false; } $aResults = $oResults->fetch_array(MYSQLI_NUM); $sResult = $aResults[1]; return $sResult; }

成功后,您应该看到:

Trying to connect using :
 host=192.168.10.70, user=sha256user, port=3306
TLS options :
 key=/var/www/html/client-key.pem
 cert=/var/www/html/client-cert.pem
 ca=/var/www/html/ca.pem
Successfully connected using TLS !
TLS cipher=DHE-RSA-AES256-SHA

故障排除

如果您收到有关以下内容的警告或错误:

--ssl

or

--ssl-mode

如 :

https://www.itophub.io/wiki/media?media=2_7_0%3Ainstall%3Atls_mysql_warning.png

iTop> = 2.6.2应该使用MySQL> = 5.7.0处理这些警告,如果仍然遇到这些警告,或者在较低版本或其他MySQL供应商那里遇到这些警告,我们可以通过以下方式进行验证:

SELECT Version()

SELECT @@version

您收到的格式和MySQL供应商的格式类似于

 10.3.15-MariaDB-log 

iTop将处理这些信息,以根据您的MySQL供应商/版本选择正确的参数,因此需要填写。

原创链接:https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Aphp_and_mysql_configuration


Connect to MySQL using TLS

Use TLS with iTop

If iTop is hosted on a different server than the MySQL server, and a shared infrastructured is used, then you might want to use encryption between the application and the database.

One way to do that is to use the MySQL secure connection. See the official documentation : MySQL :: MySQL 5.6 Reference Manual :: 6.4 Using Encrypted Connections

Since version 2.5, iTop allows to use thoses parameters :

  • enable encryption : db_tls.enabled

  • certificate authority file : db_tls.ca

If the 'db_tls.ca' parameter is non empty and valid then server cert verification will be done on each connection. By default iTop will connect to MySQL using the MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT flag (see http://php.net/manual/en/mysqli.real-connect.php), but if the CA is specified then it would connect with the MYSQLI_CLIENT_SSL flag.

Before using such a connection in iTop, you need to check your configuration. In phpinfo (call setup/phpinfo.php) you should have, in the “mysqlnd” section the following :

  • core SSL : supported

  • extended SSL : supported

Combodo also hardly recommend to test the link using the following script :

mysql-tls-test.php
 

<?php <?php ('error_reporting', E_ALL); ('display_errors', '1'); (E_ALL|E_STRICT); (ASSERT_ACTIVE, true); (ASSERT_WARNING, true); (ASSERT_BAIL, true); $sMySqlHost = 'mysqlserver'; //TODO $iMySqlPort = 3306; $sMySqlUser = 'user'; //TODO $sMySqlPassword = 'password'; //TODO $iMySqlFlag = MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; $sTlsKey = '/var/mysql/client-key.pem'; //TODO fix right value, null if not used $sTlsCert = '/var/mysql/client-cert.pem'; //TODO fix right value, null if not used $sTlsCa = '/var/mysql/ca.pem'; //TODO fix right value, null if not used (($sTlsKey), 'Can\'t open SSL Key file'); (($sTlsCert), 'Can\'t open SSL Cert file'); (($sTlsCa), 'Can\'t open SSL CA file'); echo "Trying to connect using :\n host=$sMySqlHost, user=$sMySqlUser, port=$iMySqlPort\n"; echo "TLS options :\n key=$sTlsKey\n cert=$sTlsCert\n ca=$sTlsCa\n"; $oMysqli = new mysqli(); $oMysqli->init(); $oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, NULL, NULL); $oMysqli->real_connect($sMySqlHost, $sMySqlUser, $sMySqlPassword, null, $iMySqlPort, NULL, $iMySqlFlag); if ($oMysqli->connect_errno) { ('Connect error (' . () . '): ' . () . "\n"); } else { if (!IsOpenedDbConnectionUsingTls($oMysqli)) { $oMysqli->close(); ('The connection can be opened but is not TLS encrypted !'); } echo "Successfully connected using TLS !\n"; $sTlsCipherValue = GetMySqlVarValue($oMysqli, 'ssl_cipher'); $sTlsVersionValue = GetMySqlVarValue($oMysqli, 'ssl_version'); echo "TLS cipher=$sTlsCipherValue\n"; echo "TLS version=$sTlsVersionValue\n"; $oMysqli->close(); } /** * <p>A DB connection can be opened transparently (no errors thrown) without being encrypted, whereas the TLS * parameters were used.<br> * This method can be called to ensure that the DB connection really uses TLS. * * <p>We're using this object connection : {@link self::$m_oMysqli} * * @param \mysqli $oMysqli * * @return boolean true if the connection was really established using TLS * @throws \MySQLException * * @uses IsMySqlVarNonEmpty */ function IsOpenedDbConnectionUsingTls($oMysqli) { $bNonEmptySslVersionVar = IsMySqlVarNonEmpty($oMysqli, 'ssl_version'); $bNonEmptySslCipherVar = IsMySqlVarNonEmpty($oMysqli, 'ssl_cipher'); return ($bNonEmptySslVersionVar && $bNonEmptySslCipherVar); } /** * @param \mysqli $oMysqli * @param string $sVarName * * @return bool * @throws \MySQLException * * @uses GetMySqlVarValue */ function IsMySqlVarNonEmpty($oMysqli, $sVarName) { $sResult = GetMySqlVarValue($oMysqli, $sVarName); return (!($sResult)); } /** * @param \mysqli $oMysqli * @param string $sVarName * * @return string * @throws \MySQLException * * @uses 'SHOW STATUS' queries */ function GetMySqlVarValue($oMysqli, $sVarName) { $oResults = $oMysqli->query("SHOW SESSION STATUS LIKE '$sVarName'", 1); if ($oResults === false) { return false; } $aResults = $oResults->fetch_array(MYSQLI_NUM); $sResult = $aResults[1]; return $sResult; }

When successful, you should see :

Trying to connect using :
 host=192.168.10.70, user=sha256user, port=3306
TLS options :
 key=/var/www/html/client-key.pem
 cert=/var/www/html/client-cert.pem
 ca=/var/www/html/ca.pem
Successfully connected using TLS !
TLS cipher=DHE-RSA-AES256-SHA

Troubleshooting

If you receive warning or error regarding

--ssl

or

--ssl-mode

such as :

https://www.itophub.io/wiki/media?media=2_7_0%3Ainstall%3Atls_mysql_warning.png

iTop >= 2.6.2 should handle these warnings with MySQL >= 5.7.0, if you still encounter these warnings or encounter them with a lower version or another MySQL vendor, our can verify with :

SELECT Version()

and

SELECT @@version

That you receive your version and MySQL vendor in format similar to

 10.3.15-MariaDB-log 

These information will be processed by iTop to choose correct parameters according to your MySQL vendor/version and thus need to be be filled in.

标签:
由 superadmin 在 2020/08/27, 15:54 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司