使用带SSL的ODBC(5.1)的MySQL连接
我们有一个客户端应用程序,它通过ODBC连接器(服务器是托管的专用Web服务器)连接到在线MySQL数据库(5.1.44-community-log).这很好用.但是我无法使其使用SSL.这是我到目前为止所做的:
We've got a client application that connects to our online MySQL database (5.1.44-community-log) thru a ODBC connector (the server is a managed* dedicated webserver). This works very nice. However I can't get it to work using SSL. This is what I've done so far:
1. MySQL服务器
我已经通过SSL设置了服务器管理器*,并且已通过证明":
I've got the server manager* set up MySQL with SSL, this is 'proven by':
mysql> SHOW VARIABLES LIKE '%ssl%';
结果是此响应:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /***/mysql-cert/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /***/mysql-cert/server-cert.pem |
| ssl_cipher | |
| ssl_key | /***/mysql-cert/server-key.pem |
+---------------+---------------------------------+
问题:服务器配置正确吗?我猜是...
Question: is the server configured right? I'm guessing it is...
2.证书
我已经购买了真实证书(通过服务器管理器).这些在上面显示的目录中.我还从该目录下载了client-cert.pem,client-key.pem和ca-cert.pem.
I've purchased real certificates (via my server manager). These are in the directory shown above. I've also downloaded the client-cert.pem, client-key.pem and ca-cert.pem from that directory.
3.具有REQUIRE [SSL | X509]
我已经创建了一个新用户,然后使用SSL从任何位置(用于测试)授予该用户访问权限:
I've created a new user and then granted it access from any location (for testing) with SSL:
GRANT USAGE ON *.* TO 'somevaliduser'@'%' IDENTIFIED BY PASSWORD 'somevalidpass' REQUIRE X509
4. ODBC客户端
我已经(刚刚下载并安装了): mysql-connector-odbc-5.1. 8-winx64.msi (64位),因为我的机器是64位 Windows 7 机器(所以这没什么问题).
I've (just downloaded and) installed : mysql-connector-odbc-5.1.8-winx64.msi (64-bit) as my machine is a 64-bit Windows 7 machine (so that's not what's wrong).
并且我已经创建了一个用户DSN,以这种方式对其进行配置(选项卡上未设置任何选项),这表明它成功连接到服务器(但是未使用-也不要求这样做-SSL)(使用了一些有效的用户不需要SSL):
And I've created a User DSN configuring it like this (no options set on tabs), which shows it connecting to the server (however not using - nor requesting to do so - SSL) successfully (using some valid user which doesn't requires SSL):
因此可以建立连接,现在尝试使用SSL.
So the connection is able to establish, now try using SSL.
这样配置,就像我在MySQL.com上读到的一样.因此,我不是100%确定选项设置正确.
This is configured like this, which is like I've read about on MySQL.com. So I'm not 100% sure the options set are right.
如您所见,它会导致错误 HY000 .打开跟踪(在ODBC配置中)也显示此错误.
As you can see it results in a error HY000. Turning on tracing (within the ODBC configuration) also shows this error.
任何人都可以给我提示如何进行这项工作吗?即使您只知道解决方案的一部分?
Can anyone give me a hint on how to make this work? Even if you know about just a part of the solution?
我解决了这个问题.因为我一次尝试了几件事,所以我不知道这个窍门是什么:
I solved the problem. Because I tried several things at a time I don't know what did the trick:
- 我让服务器管理器重新创建了证书:我买了一些证书,但发现这些证书不能用于SSL加密连接.所以现在我正在使用OpenSSL证书.我让他们使用 4)重新创建证书.创建您的客户端....服务器.它们必须是唯一的.(如此处所述).
- 我想'验证SSL证书'复选框仅在您购买证书时适用,第三方服务应检查该证书的有效性.取消选中该框!
- 仅填写以下字段:
- "SSL密钥"(c:\ path_to \ client-key.pem)
- "SSL证书"(c:\ path_to \ client-cert.pem)
- "SSL证书颁发机构"(c:\ path_to \ ca-cert.pem)
- I've had the server manager re-create the certificates: I bought some but I found out that those couldn't be used to SSL-encrypt the connection. So for now I'm using OpenSSL certificates. I've had them re-create the certificates with 4) Create your client .... server. They must be unique. (as mentioned here) in mind.
- I guess the checkbox 'Verify SSL Certificate' only applies when you buy a certificate and a thrid party service should check the validity of the certificate. Uncheck that box!
- Only fill out the fields:
- 'SSL Key' (c:\path_to\client-key.pem)
- 'SSL Certificate' (c:\path_to\client-cert.pem)
- 'SSL Certificate Authority' (c:\path_to\ca-cert.pem)
请注意:
- 端口仍然是相同的(对我而言).
- 按照Michal Niklas的建议,日志中没有显示任何有用的信息.
- 我已启用使用压缩"功能,据说可以提高性能.