Distributed | how to make "secret calls" with dble

author ： Cai Wei

middleware dble Test members , Mainly responsible for dble Daily test work , Keen to explore and discover , Learning new technologies .

In this paper, the source ： Original contribution

* Produced by aikesheng open source community , Original content is not allowed to be used without authorization , For reprint, please contact the editor and indicate the source .

SSL Protocol Brief

as everyone knows , If we use clear text to transmit data over the network , It is easy for data to be monitored and stolen , Thus causing certain security problems , This undoubtedly poses a great risk to some sensitive personal information and even the company's data security .

Based on this , There must be a certain demand , The data transmitted on the network is “ Wrapping ” Handle , and SSL That is, under this background .Netscape The company 1996 A security protocol was proposed in SSL, It is a protocol between application layer and transport layer , The design is comprehensive , It involves many concepts , Not only “ Wrapping ” Data 【 Data encryption 】, It also provides authentication and message integrity verification mechanisms , It has made great contributions to the construction of network data transmission security , Thus, the security of the Internet has been greatly improved .

For the database level , Encrypted communication is also very important , After all, the data storage of any business should eventually be implemented on the database , Its importance is self-evident . So for MySQL for ,SSL It has been a mature function and widely used . The principle of protocol implementation and encryption algorithm are no longer the focus of this paper , I won't go into details here , Please refer to the historical article ：MySQL : SSL Connection analysis

SSL And DBLE piece

summary

As a database middleware product , In the use of DBLE when , take MySQL Mount to DBLE Back end , It can be completely separated from MySQL And with the DBLE Make a direct connection . So here comes the question , How to ensure that DBLE The security of data when communicating ？ obviously , In this regard DBLE You need to MySQL Study , Use SSL Arm yourself , To ensure the security of user data during communication .

In the upcoming edition of DBLE In the version , We will support SSL Encrypted connection , It should be noted that the current encryption processing is in Client — DBLE Communication stage ,DBLE — MySQL Not involved in communication phase . At the same time, it has been published DBLE 3.22.01.1 Has also been the first to support SSL , Interested students can download the relevant version for trial .

Instructions

about DBLE Of SSL Connection configuration and MySQL There is a certain similarity , But not all the same , Next is DBLE about SSL The use of encryption is briefly introduced .

be familiar with SSL You should know , Use SSL The premise must be various certificates 【 Involving various key information 】,DBLE No exception .MySQL Self signed certificates are used in , Self signed certificates are signed by untrusted CA A digital certificate issued by an organization , That is, the certificate issued by yourself . With trusted CA The traditional digital certificates issued are different , Self signed certificates are created by companies or software developers 、 Issued and signed .DBLE Also use and MySQL In the same way ： Use self signed certificate to make SSL certificate .

Certificate making

Certificate making needs the help of OpenSSL To carry out , If it is not installed on the machine, it can be installed manually OpenSSL .

1、 Make CA Self signed certificate ( Include public key ) And a private key

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

2、 Create the private key and issue the digital certificate of the server

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

3、 Create a private key and issue a digital certificate to the client （ Similar to the above ）

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

4、 Verify whether the server and client digital certificates are trusted , When the output result is OK, Said by

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

It is worth mentioning that ,MySQL With one click certificate generation mysql_ssl_rsa_setup In the command, the certificate is generated according to the above rules , So the more convenient way is to use it directly mysql_ssl_rsa_setup Generate the corresponding certificate file 【 Of course for DBLE Certificate type conversion is also required at , See below 】.

Certificate type conversion

because DBLE Is based on JAVA Language development ,OpenSSL The format of the generated certificate pem 、crt Equiform , stay JAVA Language is not recognized correctly , Need extra use keytool Tools 【java It's original , install java There is no need to install after 】 convert to p12 、jks Format , At the same time, if the client is JDBC when , dependent URL The certificate used in also needs to use the certificate file after format conversion , other Driver Are applicable to pem Certificate file .

1、 take ca.pem Import Java In the platform's keystore ,java The supported keystore types are ：JKS 、JCEKS 、PKCS12 、PKCS11 and DKS , Here is the generation of JKS Extended name truststore.jks Keystore , The password can be customized , It is defined here as 123456

keytool -import -noprompt -file ca.pem -keystore truststore.jks -storepass 123456

2、 take server-cert.pem and server-key.pem Turn into p12 Type of keystore , Then it turns into JKS Type of keystore , The password can be customized , It is defined here as 123456

openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -out serverkeystore.p12 -passout pass:123456
keytool -importkeystore -srckeystore serverkeystore.p12 -srcstoretype PKCS12 -destkeystore serverkeystore.jks -srcstorepass 123456 -deststorepass 123456

3、 Again , Convert the certificate file used by the client to JKS Type of keystore , The password can be customized , It is defined here as 123456

openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out clientkeystore.p12 -passout pass:123456
keytool -importkeystore -srckeystore clientkeystore.p12 -srcstoretype PKCS12 -destkeystore clientkeystore.jks -srcstorepass 123456 -deststorepass 123456

thus , We have obtained the following key file information :

Server side DBLE To configure

In the use of SSL when ,DBLE As a server, you need to manually configure the relevant file information , And turn on relevant functions . and MySQL Agreement , We provide a switch supportSSL , Used to identify SSL Is it enabled? , The default value is false , If needed SSL When the connection , First, make sure that the switch is on . At the same time, you need to configure some certificate information , stay bootstrap.cnf In the following configuration ：

-DsupportSSL=true
-DserverCertificateKeyStoreUrl=${path}/serverkeystore.jks
-DserverCertificateKeyStorePwd=123456
-DtrustCertificateKeyStoreUrl=${path}/truststore.jks
-DtrustCertificateKeyStorePwd=123456

Once the configuration is complete , restart dble that will do .

For the convenience of inquiry SSL Some status information of , We are DBLE The management side of dble_information The library has added some for maintenance SSL Metadata information , Make sure the configuration is correct and restart dble after , Can be found in DBLE The management end finds the corresponding SSL Configuration information and status ：

Client connection configuration

In the use of SSL Connect MySQL The time zone has different connection modes , This method also applies to DBLE , Here are two common Client Client configuration for encrypted connection :

experiment

disabled Pattern

In the use of SSL Encrypted connection DBLE Before , Let's use the packet capture tool first wireshark Take a look at the connection without encryption DBLE when , How is data transmission . Use it here JDBC Take the client as an example . Before making a query , The author has followed the above steps in DBLE The side is configured and enabled SSL , created user surface , And prepared relevant data , I will not repeat it here as a key point .

1、 Unencrypted connection DBLE , The following is a JDBC Demo For reference , And DBLE Establish a connection and query user Table data ：

public class SslTest {

    private static final String JDBC_DRIVER = "com.mysql.jdbc.Driver";

    public static void main(String[] args) throws SQLException, IOException, ClassNotFoundException {
        List<User> res = disabled();
        System.out.println(res);
    }

    public static List<User> disabled() throws ClassNotFoundException, IOException, SQLException {

        List<User> usersList = new ArrayList<>();
        Properties pro = new Properties();
        FileInputStream fis = new FileInputStream("E:\\jdbc\\src\\main\\resources\\dble.properties");
        pro.load(fis);

        Class.forName(JDBC_DRIVER);
        String url = "jdbc:mysql://" + pro.getProperty("host") + ":" + pro.getProperty("port") + "/" + pro.getProperty("db");
        String fullUrlString = url + "?useSSL=false";    //  Unencrypted connection 

        Connection conn = DriverManager.getConnection(fullUrlString, pro.getProperty("user"), pro.getProperty("password"));
        PreparedStatement ps = conn.prepareStatement("select username from user");
        ResultSet rs = ps.executeQuery();
        while(rs.next()){
            String name = rs.getString("username");
            usersList.add(new User(name));
        }
        ps.close();
        rs.close();
        conn.close();
        return usersList;
    }
}

2、 After opening the bag grab , Execution related demo The query , Filter packets 、 After parsing, it is shown as follows ：

You can find , The transmitted data includes login information 、SQL And the returned data information , Are able to penetrate wireshark After parsing, you can query in clear text .

required Pattern

Here only one kind of SSL Take encryption mode as an example to test and demonstrate ——required , In the above JDBC Demo With a little modification , take URL Change the parameter to the corresponding mode parameter 【 As shown below 】, Encrypted communication can be carried out ：

String fullUrlString = url
+ "?useSSL=true&requireSSL=true&verifyServerCertificate=false";

Then grab the package again and execute Demo The query , Parse the packet and filter it to get ：

Can be found in the establishment of TCP After the connection ,SSL The agreement then goes through the authentication process of both parties , For specific protocol analysis, please refer to ：https://www.jianshu.com/p/8028bcbc4e05 , After certification , And then TLS The standard of encryption protocol encrypts the data packet and transmits it , Even after preliminary analysis, the transmitted data information cannot be obtained , Finally, data security is ensured . Of course , If we have a server SSL The key file , stay wireshark SSL Add relevant key information to the protocol settings , It can also successfully parse the specific packet information transmitted , There will be no more demonstrations here , Interested readers can test by themselves .

summary

There are two sides to everything , Encrypted connections ensure data security , But on the other hand, there is no doubt that some performance has been sacrificed . from SSL In terms of implementation mode , A handshake is needed to establish a connection 、 encryption 、 Decryption and other operations . So the time-consuming process is basically in the connection establishment stage , This may not be very friendly for applications that use short connections , Because it will cause large performance loss . However, it may be much better for applications that use connection pooling or long connections . therefore , For applications requiring high performance , Or applications that do not produce core sensitive data , Performance and availability are the most important , It is recommended not to use SSL The way .

At the same time, we should pay attention to the difference ,DBLE On the side SSL When setting , Did not like MySQL The same setting 【require_secure_transport】 Similar enforcement requires the use of secure connection parameter settings , Nor is it distinguished by users SSL Applicable objects of the configuration , as long as DBLE The server is enabled and configured correctly SSL Options , All users and DBLE When establishing a connection, you can choose whether to use SSL Encrypted connection .