`
xitonga
  • 浏览: 587055 次
文章分类
社区版块
存档分类
最新评论

MySQL创建用户带SSL认证,并且有SUBJECT和ISSUER的时候,报错[Note] X509 subject mismatch:

 
阅读更多

1 简单的SSL是OK的:

用简单的SSL的验证,分配帐号
mysql> GRANT ALL PRIVILEGES ON test.* TO 'test'@%· IDENTIFIED BY 'test'REQUIRE SSL;

然后在客户端登陆:
[aaaaaaaaaaa@XXnintmydbc000ctl ssl]$ /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/aaaaaaaaaaa/ssl/ca-cert.pem --ssl-cert=/home/aaaaaaaaaaa/ssl/server-cert.pem --ssl-key=/home/aaaaaaaaaaa/ssl/server-key.pem
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 25139
Server version: 5.5.25a-log MySQL XX RelXXse

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clXXr the current input statement.

mysql> show grants;
+--------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for test@% |
+--------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'test'@'%' IDENTIFIED BY PASSWORD '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' REQUIRE SSL WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit

缺陷,任何创建的ssl的key,只要匹配ca-cert.pem和client-cert.pem和client-key.pem3者之间匹配上,就可以用ssl登陆上db服务器,
就算这个client的key是否与server的可以一致,只要cliet的3个pem之间一致就可以通过ssl的方式登陆db server,这就有安全隐患。
所以我们需要加上subject和issuer来验证client和server端的key一致。


2 同事发给我的ssl的信息如下,我需要用已经生成的这2个来创建用户:
subject: CN=nuc-bbbmysql-client.nucleus.XX.com, OU=XX Online/Pogo.com, O="Xxxxxxxxc Xxxx, Inc.", S=California, C=US
issuer: E=wwtso-ssl-admins@XX.com, CN="Xxxxxxxxc Xxxx, Inc CA", OU=XX Online/Pogo.com, O="Xxxxxxxxc Xxxx, Inc.", L=Redwood City, S=California, C=US
-- 但是加上subject和issuer的时候,就抱错如下:
先创建用户:
GRANT all privileges ON *.* TO 'sss'@'localhost'
IDENTIFIED BY 'goodsecret'
REQUIRE SSL and SUBJECT '/CN=nuc-bbbmysql-admin.nucleus.XX.com/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/S=California/C=US'
and issuer '/E=wwtso-ssl-admins@XX.com/CN="Xxxxxxxxc Xxxx, In
c CA"/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/L=Redwood City/S=California/C=US';
在客户端登陆:
[aaaaaaaaaaa@XXnintmydbc000ctl ssl]$ /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/aaaaaaaaaaa/ssl/ca-cert.pem --ssl-cert=/home/aaaaaaaaaaa/ssl/server-cert.pem --ssl-key=/home/aaaaaaaaaaa/ssl/server-key.pem
ERROR 1045 (28000): Access denied for user 'test'@'XXnintmydbc000ctl.abn-iad.XX.com' (using password: YES)

db server端error日志保错如下:
130722 9:25:04 [Note] X509 issuer mismatch:
should be 'E=wwtso-ssl-admins@XX.com/CN="Xxxxxxxxc Xxxx, Inc CA"/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/L=Redwood City/S=California/C=US'
but is '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com'


3 看到client端的issuer和server端的issuer mismatch,所以为了测试成功,直接修改grant语句吧,再次进行测试,如下,drop user然后再grant帐号
 drop user 'test'@'%';
GRANT all privileges ON *.* TO 'test'@'%'
IDENTIFIED BY 'test'
REQUIRE SUBJECT '/CN=nuc-bbbmysql-client.nucleus.XX.com/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/S=California/C=US'
and issuer '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com' ;


客户端登陆mysql db server,依然报错如下:
[ddddmysqlprd@XXnprdmydbctl client-cert]$ /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/ddddmysqlprd/client-cert/ca-cert.pem --ssl-cert=/home/ddddmysqlprd/client-cert/client-cert.pem --ssl-key=/home/ddddmysqlprd/client-cert/client-key.pem
ERROR 1045 (28000): Access denied for user 'test'@'XXnprdmydbctl.XXo.abn-iad.XX.com' (using password: YES)
再check error日志
130722 9:29:15 [Note] X509 subject mismatch:
should be '/CN=nuc-bbbmysql-client.nucleus.XX.com/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/S=California/C=US'
but is '/C=US/ST=California/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=nuc-bbbmysql-client.nucleus.XX.com'


4 看到client与server的subject不一致,所以直接将提示error中的subject里面的替换下,再测试

drop user,然后grant user;
 drop user 'test'@'%';
GRANT all privileges ON *.* TO 'test'@'%'
IDENTIFIED BY 'test'
REQUIRE SUBJECT '/C=US/ST=California/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=nuc-bbbmysql-client.nucleus.XX.com'
and issuer '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com' ; drop user 'test'@'%';
GRANT all privileges ON *.* TO 'test'@'%'
IDENTIFIED BY 'test'
REQUIRE SUBJECT '/C=US/ST=California/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=nuc-bbbmysql-client.nucleus.XX.com'
and issuer '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxxxxc Xxxx, Inc CA/emailAddress=wwtso-ssl-admins@XX.com' ;


然后在客户端登陆
[ddddmysqlprd@XXnprdmydbctl client-cert]$ /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/ddddmysqlprd/client-cert/ca-cert.pem --ssl-cert=/home/ddddmysqlprd/client-cert/client-cert.pem --ssl-key=/home/ddddmysqlprd/client-cert/client-key.pem
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 25289
Server version: 5.5.25a-log MySQL XX RelXXse

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clXXr the current input statement.

mysql>
mysql>
mysql>
mysql>
mysql> exit
Bye

OK,i did it。

然后觉得同事给我的subject和issuer有问题,跟同事在server端创建的server key有出入,
最后检查问题出在windown环境和linux环境之间的差异,同事给的一些参数是window下的,所以linux下不识别,比如email参数等。
不过这些也没有关系,我们只要关注error日志,看报错信息然后依据报错信息一步步调试,都可以确保功能测试通过。

分享到:
| SSD磁盘,CPU居高不下,高并发的情况下, ...
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

    cacert.pem(Composer SSL certificate problem: 可用)

    SSL certificate problem: unable to get local issuer certificate

    x509证书中issuer规范

    This document is an integral part of the Lightweight Directory Access Protocol (LDAP) technical specification. It provides a technical specification of attribute types and object classes intended for ...

    MySql增加用户、授权、修改密码等语句

    //登录MYSQL @>mysql -u root -p @>密码 //创建用户 mysql> mysql> insert into mysql.user(Host,User,Password,ssl_cipher,x509_issuer,x509_sub ject) values(“localhost”,”pppadmin”,password(“passwd”),...

    Composer Curl SSL证书解决SSL certificate problem

    Composer出现crul SSL报错的问题是没有安装CA证书导致的!!! 错误信息如下: [Composer\Downloader\TransportException]  curl error 60 while downloading https://repo.packagist.org/packages.json: SSL ...

    MySql设置指定用户数据库查看查询权限

    `x509_issuer`, `x509_subject`, `authentication_string` ) VALUES ( '%', -- 允许远程访问 'zhangsan', -- 用户名 '*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9', -- 明文密码:123456 ...

    【PHP、SSL、证书】报cURL error 60: SSL certificate problem的证书问题解决

    PHP本地环境在调用第三方接口有时会出现cURL error 60: SSL certificate problem: unable to get local issuer certificate的错误提示,这边提供如下解决方案: 1、下载资源,并解压 2、将pem文件放于指定目录下,...

    jira-issuer:用于基于JSON模板文件创建批量JIRA问题的cli工具

    Jira-issuer提供了一种仅通过在预定义的JSON模板文件上运行简单命令即可创建必要票证的方法。 这是将新的销售/合同​​/需求/功能/包装转换为团队行动项目的最快方法。 如果您需要定期遵循相同的过程,则只需在...

    sqlmap (懂的入)

    Here is a list of major features implemented in sqlmap: * Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end. Besides these four ...| ssl_cipher |...

    PHP微信扫码关注公众号并授权登录源码.zip

    PHP判断是否首次关注公众号,扫码关注公众号获取微信...3、增加调试报错信息,比如因curl未开启,或者访问腾讯https出现SSL certificate:unable to get local issuer certificate 4、取消腾讯远程curl对https验证

    微信授权登录源码 微信公众号关注授权登录源码 扫码关注微信公众号授权登录源码

    PHP微信扫码关注公众号并授权登录源码 PHP微信扫码登录看...3、增加调试报错信息,比如因curl未开启,或者访问腾讯https出现SSL certificate:unable to get local issuer certificate 4、取消腾讯远程curl对https验证

    invoice-issuer:发票发行人,从Angular JS传统转换为React Redux

    功能要求如果您有任何功能请求,请随时打开任何问题/拉动请求。路线图添加折扣功能添加多种货币支持贡献者## Demo链接执照没有许可证限制,但是无论您想在哪里使用它-商业,个人,非营利组织都可以。只要给我们发送...

    rspec-ssltls:使用 RSpec 轻松测试您的 SSLTLS

    rspec-ssltls Rspec-ssltls 是一个 rspec 插件,用于使用 Ruby 标准 OpenSSL 库轻松进行 SSL/TLS 测试。 用法 最好通过示例来描述 RSpec-ssltls。 首先,需要rspec_ssltls在spec_helper.rb : # spec/spec_helper...

    perl-nss:NSS 库的 Perl 接口

    my $cert = Crypt::NSS::X509::Certificate->new(slurp('derfile')); say $cert->subject(); say $cert->issuer(); my $valid = $cert->verify_cert(); if ( ! $cert->match_name('www.testdomain') ) { # Domain ...

    usb-permission-issuer.apk

    在你的APP中向usb-permission-issuer发送广播,申请usb权限,等申请通过在使用USB就不会弹出USB授权对话框,需要人为确认的情况。 Intent intent = new Intent(); intent.setAction("ACTION_USB_PERMISSION_ISSUER...

    认证:客户端和服务器证书的自动分发和维护

    Certify允许轻松地自动分发和维护证书。 在建立TLS连接时请求证书,这是由GetCertificate和GetClientCertificate tls.Config挂钩提供的。 证书可以选择缓存。 同时进行重复数据删除以最大程度地减轻发行者的压力。 ...

    wamp环境的cacert.pem文件

    在wamp环境里,当你配置好了“extension=php_curl.dll”事项,还遇到“cURL error 60: SSL certificate: unable to get local issuer certificate.”时,就需要把该文件放到“E:\wamp\bin\php\php5.5.12\extras\ssl...

    ssl cacert.pem

    SLL rtificate problem: unable to get local issuer certificate

Magicbox
Global site tag (gtag.js) - Google Analytics