SSL 综述
通常MariaDB是编译入SSL支持的,但它默认被禁用。你可以通过查看系统变量have_ssl 进行验证。
MariaDB usually comes with SSL-support compiled in, but it is disabled by default. You can verify this by examining the have_ssl system variable:
SHOW VARIABLES LIKE 'have_ssl'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_ssl | DISABLED | +---------------+----------+
如果服务器支持SSL连接,have_ssl的值将会是YES
,如果不支持连接值将会是NO
。DISABLE
说明服务器支持SSL但是没有启用SSL,这通常是默认情况。
If the server supports SSL connections, the value will be set to YES
, otherwise, if SSL-support was not compiled in, the value will be set to NO
. DISABLED
means that the server was compiled with SSL support, but was not started with SSL support, which is usually the default situation.
要启用SSL,启动服务器时需加入 --ssl 选项。你可以设置很多其他 SSL 选项,如证书名、cipher 列表等。(参看 SSL 系统变量)。MariaDB从10.0.15后支持 TLSv1.2 ,请使用 ssl-cipher 来限定只能使用 TLSv1.2 ciphers.
To enable SSL, start the server with the --ssl option. There are a number of other SSL options you can set, such as the name of the certificate, or the list of ciphers, etc. (see SSL System Variables). MariaDB has supported the TLSv1.2 protocol since 10.0.15 - use ssl-cipher to limit MariaDB to TLSv1.2 ciphers only.
服务器通常使用SSL 的动态链接库,Windows 使用 yaSSL,其他平台使用OpenSSL。因服务器使用动态链接,如所用SSL库出现漏洞(例如2014年4月的 Heartbleed Bug ),您只需要升级SSL库,而不需要重新安装MariaDB。
The server is almost always dynamically linked with the SSL library. Windows binaries use yaSSL, while other platforms use OpenSSL. Since the server is dynamically linked, in the case of a vulnerability in the underlying SSL library (such as the Heartbleed Bug of April 2014), you simply need to install the patched SSL library, and do not need to reinstall MariaDB.
您可以验证所使用的动态链接库,例如: You can verify that your SSL library is dynamically linked, for example:
ldd `which mysqld` | grep ssl libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fd36ba4a000)
GRANT语句可用来拒绝未使用SSL的连接和设置针对某账户的更多要求,如要求某个证书颁发机构的有效证书。
The GRANT statement can be used to reject connections from an account if it does not use SSL. Further requirements can be set for the SSL connections from that account, for example a valid certificate from a certain Certificate Authority can be required.