文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >无法使用SSL支持启动MySQL

无法使用SSL支持启动MySQL
EN

Database Administration用户
提问于 2023-03-19 16:26:55
回答 1查看 82关注 0票数 0

我在RHEL8.7上为我的MySQL 8.0.30 (mysql-server.x86_64 8.0.30-1模块+el8.6.0+16523+5cb0e868@heil-8-for-x86_64-appstream-rpms)生成了一些证书,我遇到了一个问题.

我的ca.pem包含根证书和中间证书,server-key.pem包含RSA密钥(开始RSA私钥/END RSA私钥)和server-cert.pem包含实际服务器证书。启动MySQL时会出现以下错误:

代码语言:javascript
复制
2023-03-19T11:36:56.572166Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2023-03-19T11:36:56.572209Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: SSL_CTX_set_tmp_dh failed
2023-03-19T11:36:56.641677Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"

我不知道我做错了什么..。有没有人?

ssl
tls-1.2
mysql-8.0
EN

回答 1

Database Administration用户

发布于 2023-03-20 14:47:12

好的,我提取了mariadb的源代码(我知道它不是相同的,但它已经足够接近了)并找到了以下内容:

代码语言:javascript
复制
server-10.9/vio/viosslfactories.c:#include <openssl/dh.h>
server-10.9/vio/viosslfactories.c:/* the function below was generated with "openssl dhparam -2 -C 2048" */
server-10.9/vio/viosslfactories.c:DH *get_dh2048()
server-10.9/vio/viosslfactories.c:    static unsigned char dhp_2048[] = {
server-10.9/vio/viosslfactories.c:    static unsigned char dhg_2048[] = {
server-10.9/vio/viosslfactories.c:    DH *dh = DH_new();
server-10.9/vio/viosslfactories.c:    BIGNUM *dhp_bn, *dhg_bn;
server-10.9/vio/viosslfactories.c:    if (dh == NULL)
server-10.9/vio/viosslfactories.c:    dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
server-10.9/vio/viosslfactories.c:    dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
server-10.9/vio/viosslfactories.c:    if (dhp_bn == NULL || dhg_bn == NULL
server-10.9/vio/viosslfactories.c:            || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
server-10.9/vio/viosslfactories.c:        DH_free(dh);
server-10.9/vio/viosslfactories.c:        BN_free(dhp_bn);
server-10.9/vio/viosslfactories.c:        BN_free(dhg_bn);
server-10.9/vio/viosslfactories.c:    return dh;
server-10.9/vio/viosslfactories.c:  "SSL_CTX_set_tmp_dh failed",
server-10.9/vio/viosslfactories.c:    DH *dh= get_dh2048();
server-10.9/vio/viosslfactories.c:    if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh))
server-10.9/vio/viosslfactories.c:      DH_free(dh);
server-10.9/vio/viosslfactories.c:    DH_free(dh);

所以看起来DHparam想要在2048年生成。但是,我的服务器配置为CIS级别2,OpenSSL SECLEVEL设置为3(这需要至少3072个位键)。将SECLEVEL更改为2可以解决此问题。

谢谢大家!

票数 1
EN
页面原文内容由Database Administration提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://dba.stackexchange.com/questions/324919

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档