在 go 中使用 ssl 和证书连接到 mysql/mariadb

【问题标题】:Connect to mysql/mariadb with ssl and certs in go在 go 中使用 ssl 和证书连接到 mysql/mariadb
【发布时间】:2021-07-10 13:19:03
【问题描述】:

当只需要用户名和密码时,如何使用 go/golang 连接到 mariadb/mysql 数据库有很多示例。但我还没有找到客户端需要证书(TLS/SSL)来连接的简单示例。

这适用于普通连接

package main

import (
    "database/sql"
    "fmt"
    "log"

    _ "github.com/go-sql-driver/mysql"
) 

// Test that db is usable
// prints current date & time to stdout
func queryDB(db *sql.DB) {
    // Query the database
    var result string
    err := db.QueryRow("SELECT NOW()").Scan(&result)
    if err != nil {
        log.Fatal(err)
    }
    fmt.Println(result)
}

func main() {
    // generate connection string
    cs := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s", "username", "password", "dbHost", "dbPort", "database")
    db, err := sql.Open("mysql", cs)
    if err != nil {
        log.Printf("Error %s when opening DB\n", err)
        log.Printf("%s", cs)
        return
    }
    defer db.Close()
    e := db.Ping()
    fmt.Println(cs, e)
    queryDB(db)
}

但是如果客户端需要证书来连接,我应该把这些信息放在哪里?

在我的my.cnf 中是这些行:

[mysql]
## MySQL Client Configuration ##
ssl-ca=cert/ca-cert.pem
ssl-cert=cert/client-cert.pem
ssl-key=cert/client-key.pem

【问题讨论】:

    标签: mysql go ssl mariadb client-certificates


    【解决方案1】:

    为了能够使用证书进行身份验证,您必须创建一个tls.Config,然后执行一个mysql.RegisterTLSConfig("custom", &tlsConf) 并将"?tsl=custom" 添加到连接字符串中。

    其中tls 来自"crypto/tls"mysql 来自"github.com/go-sql-driver/mysql"

    一个工作示例:

    package main

import (
    "crypto/tls"
    "crypto/x509"
    "database/sql"
    "fmt"
    "io/ioutil"
    "log"

    "github.com/go-sql-driver/mysql"
    _ "github.com/go-sql-driver/mysql"
)


// path to cert-files hard coded
// Most of this is copy pasted from the internet
// and used without much reflection
func createTLSConf() tls.Config {

    rootCertPool := x509.NewCertPool()
    pem, err := ioutil.ReadFile("cert/ca-cert.pem")
    if err != nil {
        log.Fatal(err)
    }
    if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
        log.Fatal("Failed to append PEM.")
    }
    clientCert := make([]tls.Certificate, 0, 1)

    certs, err := tls.LoadX509KeyPair("cert/client-cert.pem", "cert/client-key.pem")
    if err != nil {
        log.Fatal(err)
    }

    clientCert = append(clientCert, certs)

    return tls.Config{
        RootCAs:            rootCertPool,
        Certificates:       clientCert,
        InsecureSkipVerify: true, // needed for self signed certs
    }
}


// Test that db is usable
// prints version to stdout
func queryDB(db *sql.DB) {
    // Query the database
    var result string
    err := db.QueryRow("SELECT NOW()").Scan(&result)
    if err != nil {
        log.Fatal(err)
    }
    fmt.Println(result)
}

func main() {

    // When I realized that the tls/ssl/cert thing was handled separately
    // it became easier, the following two lines are the important bit
    tlsConf := createTLSConf()  
    err := mysql.RegisterTLSConfig("custom", &tlsConf)

    if err != nil {
        log.Printf("Error %s when RegisterTLSConfig\n", err)
        return
    }

    // connection string (dataSourceName) is slightly different
    dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?tls=custom", "username", "password", "dbHost", "dbPort", "database")
    db1, err := sql.Open("mysql", dsn)

    if err != nil {
        log.Printf("Error %s when opening DB\n", err)
        log.Printf("%s", dsn)
        return
    }
    defer db1.Close()
    e := db1.Ping()
    fmt.Println(dsn, e)
    queryDB(db1)
}

    【讨论】:

      猜你喜欢
      • 2018-04-04
      • 2018-08-19
      • 2012-12-12
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2022-10-18
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode