更新时间:2023-11-28 15:45:10
此处的PHP(和mysqli_real_connect
)是客户端而不是服务器.您正在使用mysqli_ssl_set
对其进行配置,以进行客户端证书身份验证(并使用服务器密钥和证书).
Here PHP (and mysqli_real_connect
) is the client not the server. You're configuring it with mysqli_ssl_set
for client-certificate authentication (and using the server key and certificate).
我不确定您是如何配置MySQL服务器的,但是在配置的(MySQL)服务器部分中应该有类似的内容:
I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:
ssl-key=/mysql-ssl-certs/server-key.pem
ssl-cert=/mysql-ssl-certs/server-cert.pem
ssl-ca=/mysql-ssl-certs/ca-cert.pem
无论如何,这些都不属于客户端(只有CA证书才属于客户端,但绝对不是服务器的私钥).
These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).
完成此操作后,您可以尝试使用命令行客户端查看服务器是否配置正确:
Once you've done this, you can try to see if the server is configured properly using the command line client:
mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
或者也许是这样(尽管应该确实启用验证服务器证书以使SSL/TLS有用)
or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)
mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...
这至少应该在命令行上起作用.
This should work at least on the command line.
然后,从PHP中,您有两个选择:
Then, from PHP, you get two options:
mysqli_ssl_set
,但是将$key
和$cert
保留为空,除非您要使用确实与服务器证书不同的客户端证书. (我不记得这是否有效.)可能更容易,完全省略mysqli_ssl_set
并在全局MySQL客户端配置文件中进行配置(PHP应该可以在其中拾取它,可能是/etc/mysql/my.cnf
,但这取决于您的发行版):
mysqli_ssl_set
like you've done, but leaving $key
and $cert
null, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.)possibly easier, omit mysqli_ssl_set
altogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly /etc/mysql/my.cnf
, but this may vary depending on your distribution):
[client]
ssl-ca=/mysql-ssl-certs/ca-cert.pem
(这类似于服务器配置,但在客户端/客户端部分).
(This is similar to the server config, but on the client side/in the client section.)
对于授权部分(GRANT
):
REQUIRE SSL
仅需要使用SSL/TLS REQUIRE ISSUER
,REQUIRE SUBJECT
和REQUIRE X509
要求客户端出示客户端证书以与所需值进行比较(在这种情况下,您需要在客户端上使用ssl-key
和ssl-cert
侧面(配置或在mysqli_ssl_set
中).REQUIRE SSL
only requires the use of SSL/TLSREQUIRE ISSUER
, REQUIRE SUBJECT
and REQUIRE X509
require the client to present a client-certificate to compare to the required values (that's the case where you'd need to use ssl-key
and ssl-cert
on the client side (config or within mysqli_ssl_set
).