当前位置:首页 -> AI编程基础 -> 数据库编程

MySQL创建用户带SSL认证,并且有SUBJECT和ISSUER的时候,报错[Note] X509 subject mismatch:解决(一)

2014-11-24 13:33:12 · 作者: · 浏览: 0
标签: MySQL 创建 用户 SSL 认证 并且 SUBJECT ISSUER 时候 报错 Note X509 subject mismatch: 解决
MySQL创建用户带SSL认证,并且有SUBJECT和ISSUER的时候,报错[Note] X509 subject mismatch:解决
1 简单的SSL是OK的:
用简单的SSL的验证,分配帐号 
mysql> GRANT ALL PRIVILEGES ON test.* TO 'test'@%· IDENTIFIED BY 'test'REQUIRE SSL;

然后在客户端登陆: 
[aaaaaaaaaaa@XXnintmydbc000ctl ssl]$   /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/aaaaaaaaaaa/ssl/ca-cert.pem --ssl-cert=/home/aaaaaaaaaaa/ssl/server-cert.pem --ssl-key=/home/aaaaaaaaaaa/ssl/server-key.pem
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 25139
Server version: 5.5.25a-log MySQL XX RelXXse
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clXXr the current input statement.
mysql> show grants;
+--------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for test@%                                                                                                                          |
+--------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'test'@'%' IDENTIFIED BY PASSWORD '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29' REQUIRE SSL WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> exit

缺陷,任何创建的ssl的key,只要匹配ca-cert.pem和client-cert.pem和client-key.pem3者之间匹配上,就可以用ssl登陆上db服务器,
就算这个client的key是否与server的可以一致,只要cliet的3个pem之间一致就可以通过ssl的方式登陆db server,这就有安全隐患。
所以我们需要加上subject和issuer来验证client和server端的key一致。
2 同事发给我的ssl的信息如下,我需要用已经生成的这2个来创建用户: 
subject: CN=nuc-bbbmysql-client.nucleus.XX.com, OU=XX Online/Pogo.com, O="Xxxxxxxxc Xxxx, Inc.", S=California, C=US
issuer: E=wwtso-ssl-admins@XX.com, CN="Xxxxxxxxc Xxxx, Inc CA", OU=XX Online/Pogo.com, O="Xxxxxxxxc Xxxx, Inc.", L=Redwood City, S=California, C=US

-- 但是加上subject和issuer的时候,就抱错如下:
先创建用户: 
GRANT all privileges ON *.* TO 'sss'@'localhost'
  IDENTIFIED BY 'goodsecret'
  REQUIRE SSL and SUBJECT '/CN=nuc-bbbmysql-admin.nucleus.XX.com/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/S=California/C=US'
  and issuer '/E=wwtso-ssl-admins@XX.com/CN="Xxxxxxxxc Xxxx, In
  c CA"/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/L=Redwood City/S=California/C=US';

在客户端登陆: 
[aaaaaaaaaaa@XXnintmydbc000ctl ssl]$   /opt/mysql/product/mysql/bin/mysql -hXXcccmysql.abn-iad.XX.com -utest -ptest --ssl-ca=/home/aaaaaaaaaaa/ssl/ca-cert.pem --ssl-cert=/home/aaaaaaaaaaa/ssl/server-cert.pem --ssl-key=/home/aaaaaaaaaaa/ssl/server-key.pem
ERROR 1045 (28000): Access denied for user 'test'@'XXnintmydbc000ctl.abn-iad.XX.com' (using password: YES)

db server端error日志保错如下: 
130722  9:25:04 [Note] X509 issuer mismatch: 
should be 'E=wwtso-ssl-admins@XX.com/CN="Xxxxxxxxc Xxxx, Inc CA"/OU=XX Online/Pogo.com/O="Xxxxxxxxc Xxxx, Inc."/L=Redwood City/S=California/C=US' 
but is '/C=US/ST=California/L=Redwood City/O=Xxxxxxxxc Xxxx, Inc./OU=XX Online/Pogo.com/CN=Xxxxxx