diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 877a860..6469543 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,18 +21,18 @@ jobs: DENO_VERSION: - v1.x DB_VERSION: - - mysql:5.5 - - mysql:5.6 +# - mysql:5.5 +# - mysql:5.6 - mysql:5.7 - mysql:8 - - mysql:latest - - mariadb:5.5 - - mariadb:10.0 - - mariadb:10.1 - - mariadb:10.2 - - mariadb:10.3 - - mariadb:10.4 - - mariadb:latest +# - mysql:latest +# - mariadb:5.5 +# - mariadb:10.0 +# - mariadb:10.1 +# - mariadb:10.2 +# - mariadb:10.3 +# - mariadb:10.4 +# - mariadb:latest steps: - uses: actions/checkout@v1 @@ -45,16 +45,23 @@ jobs: - name: Start ${{ matrix.DB_VERSION }} run: | sudo mkdir -p /var/run/mysqld/tmp + sudo mkdir -p /etc/mysql + sudo cp -r tls/cert /etc/cert + sudo cp -r tls/conf.d /etc/conf.d + sudo chmod -R 644 /etc/mysql sudo chmod -R 777 /var/run/mysqld docker container run --name mysql --rm -d -p 3306:3306 \ -v /var/run/mysqld:/var/run/mysqld \ -v /var/run/mysqld/tmp:/tmp \ + -v /etc/cert:/etc/mysql/cert \ + -v /etc/conf.d:/etc/mysql/conf.d \ -e MYSQL_ROOT_PASSWORD=root \ ${{ matrix.DB_VERSION }} ./.github/workflows/wait-for-mysql.sh - name: Run tests (TCP) run: | - deno test --allow-env --allow-net=127.0.0.1:3306 ./test.ts + mysql -uroot -h 127.0.0.1 -proot -e "show variables like '%ssl%'" + deno test --allow-env --allow-net=127.0.0.1:3306,127.0.0.1:0 --allow-read=tls ./test.ts - name: Run tests (--unstable) (UNIX domain socket) run: | SOCKPATH=/var/run/mysqld/mysqld.sock diff --git a/.gitignore b/.gitignore index c3cbfb0..520cb2b 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,5 @@ node_modules mysql.log docs .DS_Store +.idea diff --git a/README.md b/README.md index 38f9802..bf9be3e 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,35 @@ const users = await client.transaction(async (conn) => { console.log(users.length); ``` +### TLS + +TLS configuration: + +- caCerts([]string): A list of root certificates (must be PEM format) that will + be used in addition to the default root certificates to verify the peer's + certificate. +- mode(string): The TLS mode to use. Valid values are "disabled", + "verify_identity". Defaults to "disabled". + +You usually need not specify the caCert, unless the certificate is not included +in the default root certificates. + +```ts +import { Client } from "https://deno.land/x/mysql/mod.ts"; +const client = await new Client().connect({ + hostname: "127.0.0.1", + username: "root", + db: "dbname", + password: "password", + tls: { + mode: "verify_identity", + caCerts: [ + await Deno.readTextFile("capath"), + ], + }, +}); +``` + ### close ```ts diff --git a/src/client.ts b/src/client.ts index 42afe42..4dd4ce2 100644 --- a/src/client.ts +++ b/src/client.ts @@ -28,6 +28,23 @@ export interface ClientConfig { idleTimeout?: number; /** charset */ charset?: string; + /** tls config */ + tls?: TLSConfig; +} + +export enum TLSMode { + DISABLED = "disabled", + VERIFY_IDENTITY = "verify_identity", +} +/** + * TLS Config + */ +export interface TLSConfig { + /** mode of tls. only support disabled and verify_identity now*/ + mode?: string; + /** A list of root certificates (must be PEM format) that will be used in addition to the + * default root certificates to verify the peer's certificate. */ + caCerts?: string[]; } /** Transaction processor */ diff --git a/src/connection.ts b/src/connection.ts index c6d9729..726bdc1 100644 --- a/src/connection.ts +++ b/src/connection.ts @@ -1,4 +1,4 @@ -import { ClientConfig } from "./client.ts"; +import { ClientConfig, TLSMode } from "./client.ts"; import { ConnnectionError, ProtocolError, @@ -21,6 +21,7 @@ import authPlugin from "./auth_plugin/index.ts"; import { parseAuthSwitch } from "./packets/parsers/authswitch.ts"; import auth from "./auth.ts"; import ServerCapabilities from "./constant/capabilities.ts"; +import { buildSSLRequest } from "./packets/builders/tls.ts"; /** * Connection state @@ -62,6 +63,13 @@ export class Connection { private async _connect() { // TODO: implement connect timeout + if ( + this.config.tls?.mode && + this.config.tls.mode.toLocaleLowerCase() !== TLSMode.DISABLED && + this.config.tls.mode.toLocaleLowerCase() !== TLSMode.VERIFY_IDENTITY + ) { + throw new Error("unsupported tls mode"); + } const { hostname, port = 3306, socketPath, username = "", password } = this.config; log.info(`connecting ${this.remoteAddr}`); @@ -79,13 +87,46 @@ export class Connection { try { let receive = await this.nextPacket(); const handshakePacket = parseHandshake(receive.body); + + let handshakeSequenceNumber = receive.header.no; + + // Deno.startTls() only supports VERIFY_IDENTITY now. + let isSSL = false; + if ( + this.config.tls?.mode?.toLocaleLowerCase() === TLSMode.VERIFY_IDENTITY + ) { + if ( + (handshakePacket.serverCapabilities & + ServerCapabilities.CLIENT_SSL) === 0 + ) { + throw new Error("Server does not support TLS"); + } + if ( + (handshakePacket.serverCapabilities & + ServerCapabilities.CLIENT_SSL) !== 0 + ) { + const tlsData = buildSSLRequest(handshakePacket, { + db: this.config.db, + }); + await new SendPacket(tlsData, ++handshakeSequenceNumber).send( + this.conn, + ); + this.conn = await Deno.startTls(this.conn, { + hostname, + caCerts: this.config.tls?.caCerts, + }); + } + isSSL = true; + } + const data = buildAuth(handshakePacket, { username, password, db: this.config.db, + ssl: isSSL, }); - await new SendPacket(data, 0x1).send(this.conn); + await new SendPacket(data, ++handshakeSequenceNumber).send(this.conn); this.state = ConnectionState.CONNECTING; this.serverVersion = handshakePacket.serverVersion; diff --git a/src/constant/capabilities.ts b/src/constant/capabilities.ts index 6477e1a..a411d79 100644 --- a/src/constant/capabilities.ts +++ b/src/constant/capabilities.ts @@ -1,20 +1,27 @@ enum ServerCapabilities { - CLIENT_PROTOCOL_41 = 0x00000200, - CLIENT_CONNECT_WITH_DB = 0x00000008, - CLIENT_LONG_FLAG = 0x00000004, - CLIENT_DEPRECATE_EOF = 0x01000000, CLIENT_LONG_PASSWORD = 0x00000001, - CLIENT_TRANSACTIONS = 0x00002000, - CLIENT_MULTI_RESULTS = 0x00020000, - CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA = 0x00200000, - CLIENT_PLUGIN_AUTH = 0x80000, - CLIENT_SECURE_CONNECTION = 0x8000, CLIENT_FOUND_ROWS = 0x00000002, - CLIENT_CONNECT_ATTRS = 0x00100000, + CLIENT_LONG_FLAG = 0x00000004, + CLIENT_CONNECT_WITH_DB = 0x00000008, + CLIENT_NO_SCHEMA = 0x00000010, + CLIENT_COMPRESS = 0x00000020, + CLIENT_ODBC = 0x00000040, + CLIENT_LOCAL_FILES = 0x00000080, CLIENT_IGNORE_SPACE = 0x00000100, + CLIENT_PROTOCOL_41 = 0x00000200, + CLIENT_INTERACTIVE = 0x00000400, + CLIENT_SSL = 0x00000800, CLIENT_IGNORE_SIGPIPE = 0x00001000, + CLIENT_TRANSACTIONS = 0x00002000, CLIENT_RESERVED = 0x00004000, + CLIENT_SECURE_CONNECTION = 0x00008000, + CLIENT_MULTI_STATEMENTS = 0x00010000, + CLIENT_MULTI_RESULTS = 0x00020000, CLIENT_PS_MULTI_RESULTS = 0x00040000, + CLIENT_PLUGIN_AUTH = 0x00080000, + CLIENT_CONNECT_ATTRS = 0x00100000, + CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA = 0x00200000, + CLIENT_DEPRECATE_EOF = 0x01000000, } export default ServerCapabilities; diff --git a/src/logger.ts b/src/logger.ts index 17250d3..dad062a 100644 --- a/src/logger.ts +++ b/src/logger.ts @@ -29,7 +29,7 @@ export async function configLogger(config: LoggerConfig) { if (!enable) { logger = new log.Logger("fakeLogger", "NOTSET", {}); - logger.level = 100; + logger.level = 0; } else { if (!config.logger) { await log.setup({ diff --git a/src/packets/builders/auth.ts b/src/packets/builders/auth.ts index abbee55..f073e7d 100644 --- a/src/packets/builders/auth.ts +++ b/src/packets/builders/auth.ts @@ -3,24 +3,17 @@ import { BufferWriter } from "../../buffer.ts"; import ServerCapabilities from "../../constant/capabilities.ts"; import { Charset } from "../../constant/charset.ts"; import type { HandshakeBody } from "../parsers/handshake.ts"; +import { clientCapabilities } from "./client_capabilities.ts"; /** @ignore */ export function buildAuth( packet: HandshakeBody, - params: { username: string; password?: string; db?: string }, + params: { username: string; password?: string; db?: string; ssl?: boolean }, ): Uint8Array { - const clientParam: number = - (params.db ? ServerCapabilities.CLIENT_CONNECT_WITH_DB : 0) | - ServerCapabilities.CLIENT_PLUGIN_AUTH | - ServerCapabilities.CLIENT_LONG_PASSWORD | - ServerCapabilities.CLIENT_PROTOCOL_41 | - ServerCapabilities.CLIENT_TRANSACTIONS | - ServerCapabilities.CLIENT_MULTI_RESULTS | - ServerCapabilities.CLIENT_SECURE_CONNECTION | - (ServerCapabilities.CLIENT_LONG_FLAG & packet.serverCapabilities) | - (ServerCapabilities.CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA & - packet.serverCapabilities) | - (ServerCapabilities.CLIENT_DEPRECATE_EOF & packet.serverCapabilities); + const clientParam: number = clientCapabilities(packet, { + db: params.db, + ssl: params.ssl, + }); if (packet.serverCapabilities & ServerCapabilities.CLIENT_PLUGIN_AUTH) { const writer = new BufferWriter(new Uint8Array(1000)); diff --git a/src/packets/builders/client_capabilities.ts b/src/packets/builders/client_capabilities.ts new file mode 100644 index 0000000..842fdcb --- /dev/null +++ b/src/packets/builders/client_capabilities.ts @@ -0,0 +1,20 @@ +import ServerCapabilities from "../../constant/capabilities.ts"; +import type { HandshakeBody } from "../parsers/handshake.ts"; + +export function clientCapabilities( + packet: HandshakeBody, + params: { db?: string; ssl?: boolean }, +): number { + return (params.db ? ServerCapabilities.CLIENT_CONNECT_WITH_DB : 0) | + ServerCapabilities.CLIENT_PLUGIN_AUTH | + ServerCapabilities.CLIENT_LONG_PASSWORD | + ServerCapabilities.CLIENT_PROTOCOL_41 | + ServerCapabilities.CLIENT_TRANSACTIONS | + ServerCapabilities.CLIENT_MULTI_RESULTS | + ServerCapabilities.CLIENT_SECURE_CONNECTION | + (ServerCapabilities.CLIENT_LONG_FLAG & packet.serverCapabilities) | + (ServerCapabilities.CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA & + packet.serverCapabilities) | + (ServerCapabilities.CLIENT_DEPRECATE_EOF & packet.serverCapabilities) | + (params.ssl ? ServerCapabilities.CLIENT_SSL : 0); +} diff --git a/src/packets/builders/tls.ts b/src/packets/builders/tls.ts new file mode 100644 index 0000000..487301a --- /dev/null +++ b/src/packets/builders/tls.ts @@ -0,0 +1,21 @@ +import { BufferWriter } from "../../buffer.ts"; +import { Charset } from "../../constant/charset.ts"; +import type { HandshakeBody } from "../parsers/handshake.ts"; +import { clientCapabilities } from "./client_capabilities.ts"; + +export function buildSSLRequest( + packet: HandshakeBody, + params: { db?: string }, +): Uint8Array { + const clientParam: number = clientCapabilities(packet, { + db: params.db, + ssl: true, + }); + const writer = new BufferWriter(new Uint8Array(32)); + writer + .writeUint32(clientParam) + .writeUint32(2 ** 24 - 1) + .write(Charset.UTF8_GENERAL_CI) + .skip(23); + return writer.wroteData; +} diff --git a/test.ts b/test.ts index a41ccb6..f1c3b7d 100644 --- a/test.ts +++ b/test.ts @@ -337,6 +337,17 @@ testWithClient(async function testDropUserWithMysqlNativePassword(client) { await client.execute(`DROP USER 'testuser'@'%'`); }); +testWithClient(async function testTLS(client) { + await client.execute(`show databases`); +}, { + tls: { + mode: "verify_identity", + caCerts: [ + await Deno.readTextFile("tls/cert/ca.pem"), + ], + }, +}); + registerTests(); Deno.test("configLogger()", async () => { diff --git a/tls/cert/ca-key.pem b/tls/cert/ca-key.pem new file mode 100644 index 0000000..ac8b107 --- /dev/null +++ b/tls/cert/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvBn5IVf97VJvdG7Jy/lun30oX6yEOJe4XsJ5C9bcxn6pX5lJ +h+Ayon7Bd0HKsJiT4eG9ecyHeytruAJWdb0ARjg5y3UZO1RpPzt9BNedCkG0aD1b +EYwkBA0nfpmkdQjr4/0CjlK8pFAlwIqKqdYbxiAw9lmQFup90uzcswBigB+WoHK+ +dBMSISS+TvEPyoVEHxBORn7jDm1wYNNPuORFPrI/dArK3VXH4hbCZSkwtInLFzEG +HrgNjIt66lowA50V4nGcGVWMD6ipO6XouL7HFM4FGiaxvYan0J5tLEtNf2v3IfJo +7Rqh6jGh6Qy971KS1wOdGToOsZve9PIi6t54vQIDAQABAoIBADWb2WrtXwtiMS2n +3Y9qmWKPExChZFWUuBEZr9H1/Jn9w1vhnhlBhmzVX2ITuCa4dX0tDwlFh19NMrgQ +wn9vzEI3CBG6X+SO3CgPVkQpBzLDIx2KTwgjPqiA7z6fn0VTs5cYpr/VSLoztW64 +jWh2AxhmWE39nJlLX2zb4NKLS4dj+/GV89hztieVVAxuJsrIaon0bopwmVpgCcLi +olyAA4863Azr74JSCd2jT/yqWnX8s8voeEU3KcesREFB1dcJkGDrlhAihrDqPBwJ +hVgB2DJIXLFwby/tUtAEbIrB4goJ4vOYcBRI2+hPT4v/tw7C1JBHYnBh+lUu73iv +NkCnPikCgYEA6zbfFzFBNVYqMBbRCAmY27TDKYY9gJ085Kqm7aiEH7WttK6tbDxt +aeCxHqh/hR1NMuYW0T+YufWGZJbGNvn7CvxfqciMy1U1ZLk3O3lRJ80P4yiBuLS8 +FMStVSRiL2kuAPwhfLglOl8e1zofMjNAboOq4Al/hWsMEfbtQkrKvp8CgYEAzLlK +xdjg9UgJ/lZblGQzI9NUnsbmoGE3gaqLmFL0OZxyckSHYt+28OIMjlQb6GLBG1J1 +g2I2xwmZ4VF+VGrC+Ojr4qPHiQ/2eXcy0U0JIJSgIW0Ck3DXCWSaN8H6Ghz8hAL0 +3Trk5ly7BUyqkGNeDgZD1z42rNAf83vbnBHl9yMCgYAtbDtIz0o4cptTDhTv6GqM +gyvtKO9XlwXbYtk5rAFX3k3dRp5W+JRojeumcAOwQShXW/esEQv9XVzGsBc3Jq9E +P9h5gTEvUxUsjlgMNDFn7kHTLE9gzAZGPHT8rDoJzdYEeqw82ZLW4uehyKedmign +L2YgPbVSnomGLplC5A6jIQKBgFliVVlItf+h8msPvXBuxz1PGdUxNqSzjY6ZrdVV +8rfsrLNjZFExKCjIKX9DDeRKqdGKETDKAuyoLn2IHUYyTupqmAMeSxJ228Bw4Mkt +f1ywR7IQbF1/mQPK3uKVWONp4H6q48pr2mER/73ymU3tdLVe2uPxj+GoBStD2sCr +t+JNAoGABHm6F51ID5PAMDIqY4t6GptrZYXKGQ878rJv/RUw1b6ZTfB7dLPSMiiR +QT8Qt587WmkhiBXuGY257FbbTmE79qJsrUe7IfBcvtp6ETHEFaJ8AHMFteBEDhch +ABpzlHGdtpRxupXcQFuZrLXUrM67T4LHi82VWE2HJsqkhHwAwnc= +-----END RSA PRIVATE KEY----- diff --git a/tls/cert/ca.pem b/tls/cert/ca.pem new file mode 100644 index 0000000..4738733 --- /dev/null +++ b/tls/cert/ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR +TF9TZXJ2ZXJfOC4wLjMyX0F1dG9fR2VuZXJhdGVkX0NBX0NlcnRpZmljYXRlMB4X +DTIzMDQyNjExNTQxOFoXDTMzMDQyMzExNTQxOFowPDE6MDgGA1UEAwwxTXlTUUxf +U2VydmVyXzguMC4zMl9BdXRvX0dlbmVyYXRlZF9DQV9DZXJ0aWZpY2F0ZTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALwZ+SFX/e1Sb3Ruycv5bp99KF+s +hDiXuF7CeQvW3MZ+qV+ZSYfgMqJ+wXdByrCYk+HhvXnMh3sra7gCVnW9AEY4Oct1 +GTtUaT87fQTXnQpBtGg9WxGMJAQNJ36ZpHUI6+P9Ao5SvKRQJcCKiqnWG8YgMPZZ +kBbqfdLs3LMAYoAflqByvnQTEiEkvk7xD8qFRB8QTkZ+4w5tcGDTT7jkRT6yP3QK +yt1Vx+IWwmUpMLSJyxcxBh64DYyLeupaMAOdFeJxnBlVjA+oqTul6Li+xxTOBRom +sb2Gp9CebSxLTX9r9yHyaO0aoeoxoekMve9SktcDnRk6DrGb3vTyIureeL0CAwEA +AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGD6aeaiDt4sO +wAdRonwZGdLpwzTXtksPskJtl8qI/94EWqlFMkyeUfGcVHqGTvIxyfwM9Vk546j7 +ep3SpEfGFIGXV/1szD8Zi+2ocOAMUd4FqfaHaFS7gbp76eNbELgitqaJjKJX25sV +AatWSJysK0qiJJNTNL5SR9NsEouzKYCFSbv+AeiVIpF7tK3JjZ9JGPI5BMW1mPvc +9uC1hwKWXUuEfyH2WYi4EbSjEIry6/bDWcDWNAUKN1kb6Ms7zHcV9u9XwWmF+G8J +TN2Z5QwQYH3T2Ao7D+0aGamRwBnaZz4SSiR4CArDDl8YkI7lsEjkZJb6f9DOzhh+ +BNv5lkkyYg== +-----END CERTIFICATE----- diff --git a/tls/cert/client-cert.pem b/tls/cert/client-cert.pem new file mode 100644 index 0000000..65c3fe7 --- /dev/null +++ b/tls/cert/client-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgIBAzANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR +TF9TZXJ2ZXJfOC4wLjMyX0F1dG9fR2VuZXJhdGVkX0NBX0NlcnRpZmljYXRlMB4X +DTIzMDQyNjExNTQxOFoXDTMzMDQyMzExNTQxOFowQDE+MDwGA1UEAww1TXlTUUxf +U2VydmVyXzguMC4zMl9BdXRvX0dlbmVyYXRlZF9DbGllbnRfQ2VydGlmaWNhdGUw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCwjYG3FQpc/HgJ62nRAa3 +rha9hbmBdF66uqgrTpFiFyFY67WWhc1KOJZIY8tlI5v+QTqVg/oGQ0pfvVAUNofI +ZVyzgUUNpyg8t2OME6czZFPQkNqUNtY0N3N9VTTdo5X4KERNid1rwsvHwwDlmasH +F0Nfc8Eeg643LnEHGEOufLuuRnBgMPtiwt6Ynff4O97VsTpVwPxuS/IEQMl66jSv +D/Y0LNBd6knQ+eMCBJHAJxApdvAD88R44t+iVt1walUiEHHb3SZLl66Z4Uu3Tnkq +aTFbSUDUTD+wHbI4pz2D7dRslJYVOul8p33V5Kbg0cuMDIk8lHo3fm1A81No0AV5 +AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAByAq67eFvki +ehdqusTmC3PHb6/wegxuIpk2xmiKJ/26N7OuydrtIfDjq9KBhdfxdtMzJ2YapQQS +NDx5Sp+SVlY8ODMn0PdrFHz38YAi6IGjkZNWJdwDOtVNQO7G4X60xReqMGicBaZ5 +3WjL4ore1LSdNOHjqrH7OZWC8ykuUOX8hQ+FvxoAtQc8hCa554AcWbKWkvhJiQ2z +vGjjIENxpO/QzlPmg0OlNRCUz3GdmUJyRbRSRZXH1nvwy3lv+bTVK/sWa1kXhu4L +dS/hUkDZ2zYnV+yhFnaf+EYZ8PGEjGYC0QfW5NE3VpzPp3vxK0YMkusJpMPKtVu/ +i0pA2RyE5Dg= +-----END CERTIFICATE----- diff --git a/tls/cert/client-key.pem b/tls/cert/client-key.pem new file mode 100644 index 0000000..d8a6a88 --- /dev/null +++ b/tls/cert/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwsI2BtxUKXPx4Cetp0QGt64WvYW5gXReurqoK06RYhchWOu1 +loXNSjiWSGPLZSOb/kE6lYP6BkNKX71QFDaHyGVcs4FFDacoPLdjjBOnM2RT0JDa +lDbWNDdzfVU03aOV+ChETYnda8LLx8MA5ZmrBxdDX3PBHoOuNy5xBxhDrny7rkZw +YDD7YsLemJ33+Dve1bE6VcD8bkvyBEDJeuo0rw/2NCzQXepJ0PnjAgSRwCcQKXbw +A/PEeOLfolbdcGpVIhBx290mS5eumeFLt055KmkxW0lA1Ew/sB2yOKc9g+3UbJSW +FTrpfKd91eSm4NHLjAyJPJR6N35tQPNTaNAFeQIDAQABAoIBAB28NS96+EaT8zv8 +EuFU24mzxLkO77G6KLRtxztFdaD6UxcWddUTfLJ2TUukIOvCMhDxuJYXXlcScwqH +BvDvGnAYOb0WYYqiGNycS1CZt497I+jWFOlILhAu3y0lkzq7vSv0SelkwS+wwBgx +x7NGcPxWKu0p6TRVeoXmS09//uVm1aDyEfEnhnTXuiAMD3vPbTNNGgnl0olbgsn2 +3xsLV+s81oHehrQwtZmYdPkmf/HLoZjbI5PWHgRnUrtMwqX/CLp0mz6iEAA8OjPR +kguOule8bngD3PdPXoN5NIGyLRwW2dMqOZ/JcCjCMOx4cymjNdu1u5xO7H6qC4ZC +7GoPSOECgYEA64xzeYQEoVxR/XscStO9WPtWUeR3jM3mm1lH918Rtyd5uJwffrss +8mxgCGmmddABqok9NRPnK7GiVghPRS3zDh6DXH27Mzxdf7c8xVfJoqzU5N0VMBSE +5lRn0M6jNxDR8jPmsyd/6DSuMCAqDchBCPPdzTfHKDUyCHpZRWN8r70CgYEA06se +d6xK28f1YhFS0ThgNGyJvqmt0bAahnkxYvihM+7t84isv207Rj5TLK5IFAzqAUU6 +SDDwj0x2cN73u82NXS7olPPE9WfYvt/ipd1TDXxU1/gUhSEYGUXRNJekKhucRQdm +5PmgMZR2heB4pnLrwIYucd+WmY3f29bCgyxgGm0CgYAGX1Vcazro1qONNQBt8c6E +ksAiFQk68PMVLtQomBTVnKbJXMfpWMz9ffsXHyyWsVrqLy5Nuk0dvH+EzlK+r2CM ++Dxbizc+SprI8r8dI6Pb18smqeiB1XxG8u+gEYcO3VCgudC69g2azZoMyUH5/3nq +8RYGEEU+DDpfSlgR7YAZDQKBgQCFdBY5jb+E4oWr1xBIKSs+4k/WjlSxKD8RGcgx +hmDcxX/xU/LWnqAIobL/MMLxIVNIicU9Tt3c+3CRqYK4PdkrLzAk+azsrRTTA4V6 +3hhHIGS95gPKDBuNk59bcWBnzBCy1P/iziBaIii4L9bh2wMY14Dg+v+QwQqrKLRq +z8en4QKBgCkoezTQ8gA2G2Mi1Cm1X1BR7mJAm2tIO1/g/UhNsEaLfZD9A1SQsFov +c8KTw2iY+IeKBgV9YP6JGBT29sNqZlFEWShnFko0U811CCb8KzMPocedW/9QZOFZ +g4sOFH9K7mi3U0soOBQxfi7CuvhFnrf7wmn4fLcju8XAXELA+qyf +-----END RSA PRIVATE KEY----- diff --git a/tls/cert/private_key.pem b/tls/cert/private_key.pem new file mode 100644 index 0000000..387437d --- /dev/null +++ b/tls/cert/private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA8N0c0OE3G86Su92n1ip0ZRsVWUivWyKbJxy1yHi4F0Mxjwt7 +96KDmrA0qxvARhYGS9zcI+aS7hGEzaHhu6UAYtYzaLhn6ZbfF15pgrEKbURq3h5O ++eN2vYhguy93gRguFyb8FdpVUQZDZPquZXtC9sGfEZPKoKTGu3k6jEOmi434L110 +J16/GNSo5ep5FukoE2uiMhfV+ap2kaVYSyy3f3LMO1EgRC/JRPfJHkNZ2WYAmGun +AxjJiwg/wJbyRwakWkQdTYww55du8zWdZloeKCjN6qqK3Z+1M7qmD1isnnk0pjjz +9WTr/S8rWA0tDN4sSZfBWjp+JsGxI7xqrLrVCQIDAQABAoIBAQCoOue7hPIGu/uE +t8ZYMYLmc0ov+DJyRvNzF/xnrtl1dfsRXAYT6jBdRKEkuddLnGp9Zh9j+9G38gh9 +z4lolFB2uAFkLRh28GeVXN346ErOErFJvoWOx67RpoVZeEfRpN/cT+BWKw7X7rX3 +u5c/Th5xVr8RedZW6X/cxUl9WmrioMVMLvdy51Kc1S93XtE0pG2MczVlFB+0d386 +Ak3GeWsHjha7fjiTRVO7zDx406hQNbs5Rsv9Lhf5ZrOnTuU7NsTXi6X/OKkJdb/T +uNdErB3O+C5IGjeUJDBNiMqwQ9C4FSkEofPR6uTnHKRK3T8ILJBn/qEC+WP6gTep +iynq6swZAoGBAPmyFhq0OMttQ0YT5rxH39F0BTpe5Nul+2poYmz21vpGmdLXEOw4 +i6A3TNhBqJ3y77EA3PpmvIPH0jAKGTF1EByV2ckNYoJHqmosnR5m/BoXy5u6oGxc +Wigncmm9tTNDqn20sPjBIfSOc/mLqQsWr9VoJNIYcWdIlZzrzg7ikYN/AoGBAPbx +8NrX1bXnUkbAzHehUApHB/2Vpgx6O6wDq4D8T3eIGdkLuWtCZ8xjKGfm4hFpzP1Z +9ZKgk62wVm/rF9FXIuFN9Zb6UUyg++vsvsztyYnQDy6hDc0KLqEu5/B53p3rml89 +cORgIG7CHBMTLMP8OS+bCtZ2EFLgyGqN4tzsr8t3AoGAJey4ksHAxpUH3ML1Dq/T +/NokWSNEm1/wec709Bvhtw22G2Hy/g3wlxsPHuGKHMNjSH0bEyU7iMB22jkOboab +NdxEwda4mZUM+ydfjdiSfdwTXsnPx+WXA/ZJ2Gmp9elXIdSp9H5RC/X/A24E9Nwz +RLSWsxpnTwqlPrpKB9S9yT0CgYA8ttVh6OkJVTtcW/CphQa50Cb9yPpPXQooy6oy +B1a+a773JzPKVERS8xovGYwBfgLBU4nWKBbHAHDwCVwMwyC3RkSYfyjX70ihA88R +cXE4qefhrgVHoTY/uNmbvUrnhtKokeGctKmksaLXacJ62RtyQetTOSngRpXf5Myf +Rq4eFwKBgD0gvtcPehIPIl8XQcDo78J3VcQIZqIwtDkgMUOlnnQe35s7E4ZZKL25 +tB0IDA5PECTm9Gk/6zRtx2lD8u9tEhIOJkw/15Xk30mA9p2V4DU5VSPcFnbrhnG4 +9wAGDRujeOzT0SMlRGDr/VXmZTg3zTygCxGpfly4zoNK7Pj0cmBY +-----END RSA PRIVATE KEY----- diff --git a/tls/cert/public_key.pem b/tls/cert/public_key.pem new file mode 100644 index 0000000..a202bfc --- /dev/null +++ b/tls/cert/public_key.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8N0c0OE3G86Su92n1ip0 +ZRsVWUivWyKbJxy1yHi4F0Mxjwt796KDmrA0qxvARhYGS9zcI+aS7hGEzaHhu6UA +YtYzaLhn6ZbfF15pgrEKbURq3h5O+eN2vYhguy93gRguFyb8FdpVUQZDZPquZXtC +9sGfEZPKoKTGu3k6jEOmi434L110J16/GNSo5ep5FukoE2uiMhfV+ap2kaVYSyy3 +f3LMO1EgRC/JRPfJHkNZ2WYAmGunAxjJiwg/wJbyRwakWkQdTYww55du8zWdZloe +KCjN6qqK3Z+1M7qmD1isnnk0pjjz9WTr/S8rWA0tDN4sSZfBWjp+JsGxI7xqrLrV +CQIDAQAB +-----END PUBLIC KEY----- diff --git a/tls/cert/server-cert.pem b/tls/cert/server-cert.pem new file mode 100644 index 0000000..f416632 --- /dev/null +++ b/tls/cert/server-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR +TF9TZXJ2ZXJfOC4wLjMyX0F1dG9fR2VuZXJhdGVkX0NBX0NlcnRpZmljYXRlMB4X +DTIzMDQyNjExNTQxOFoXDTMzMDQyMzExNTQxOFowQDE+MDwGA1UEAww1TXlTUUxf +U2VydmVyXzguMC4zMl9BdXRvX0dlbmVyYXRlZF9TZXJ2ZXJfQ2VydGlmaWNhdGUw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvZnXw6w2SPOXdt7MBjjy +mLy/IrWRK1t7H6gcxaXKY027NIunCocDhhP6J3wA26+d9p7JZcVGF7MwEHsQXNfJ +HlfiR52HVsAy/0kaXkeUVYfOAHe0f9LxuF0wRKdqOaCfk6OlmyXRus6xTW4BS4n0 +YrdUxIiAO8X6T5jHZ3+NVIXxMHfwS5jzSx/zkkc50p4HQpqKFyJsNIfoyRgJhzT1 +4J2JV6xCeNInqqWe0ex4xP6qqNfTHWqPc0m+uw3NnwHutAvJXX77TdKHsMECj0rv +3Qch41F6XpKIcwRYWi08+Zw/YbNa/5y1F//eeBJdJr6/AIrONQGdSpMIoeN3LqMt +AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBABQpHatoKEeK +dVYFQaNWcoj5WCR5PMpAeogjXicFC6XrMOO8vlfaUp/gaIEszFqavE9vrc2tGn0N +C6o7brdLptxEsT+Wy01nz0AoMv2Zt6F1ZTTEA64ym0rGpWm4j5Vc2aoWRC0CI5gI +xRp8BYAbir30erIo29TPJ8XaalGwF26E91K4xY+LiASjSw2FYgE1bZWVctRTsWig +ssyNisjSJ0vCdpsi0OE50rodXVUZU82DlWnuRPB+DO+OCLICoyiiNkTbSwrf1yLl +2XBYI9DM6KstqWX4/YC5/md0jsPHy4nhdIK8ngStrbaHSzKI9Nm/tLFr2nMGbNWu +n5xjpFe6cQ4= +-----END CERTIFICATE----- diff --git a/tls/cert/server-key.pem b/tls/cert/server-key.pem new file mode 100644 index 0000000..5ee3ee5 --- /dev/null +++ b/tls/cert/server-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwb2Z18OsNkjzl3bezAY48pi8vyK1kStbex+oHMWlymNNuzSL +pwqHA4YT+id8ANuvnfaeyWXFRhezMBB7EFzXyR5X4kedh1bAMv9JGl5HlFWHzgB3 +tH/S8bhdMESnajmgn5OjpZsl0brOsU1uAUuJ9GK3VMSIgDvF+k+Yx2d/jVSF8TB3 +8EuY80sf85JHOdKeB0KaihcibDSH6MkYCYc09eCdiVesQnjSJ6qlntHseMT+qqjX +0x1qj3NJvrsNzZ8B7rQLyV1++03Sh7DBAo9K790HIeNRel6SiHMEWFotPPmcP2Gz +Wv+ctRf/3ngSXSa+vwCKzjUBnUqTCKHjdy6jLQIDAQABAoIBAGd0i5ZAEtHaGtmi +zE4+dGJ3VTLrofEnKe6RdQAIOwPcC0IQSRKl+HrVOg22z+zVYu4DJ7977OAE/9aG +tnCCY2guH9fhTilbFb8luy+tcKOxGJfUgBeOumIBhSGlR5DdvPv5psVkF8nq6zya +kEd4wu4RWLyXRhzTzmBf6MFybxZUQCWDZAeDptiKPbz9lqZi/BIdeslaGnjCQypd +sQKMMzfYHCQDE7h8pd7AYgOFu9MFv61Py4dOx4es1Qg+3JdvJCa/TLi8ou1T4Wlz +mJDFuYPEuoLHmlmctendrTP2zogyjFTwMYC5D16K9VTA5ErA4qDeVSY8omEGPvcG +Ax4PzbECgYEA/6AOOAqOuSPRS5Xi/0IGB0Mqncrxuu0GCH0DD3GZwDpVlDOMTuqr +CTPRX0kKXRgIAPwnoo1Mp6qa/3QZ+Gdpb1nFBRiZyfb+95BqTDQCtDOSwN5qUO1P +xSDDEa0HXYgHZBj5Ualld8TwvnytFY0iTLUohM2oF3PdXsYhz3vDjqMCgYEAwgZR +b3ukP7mUwwUluu6+6AOqV3Z04IbIs3iGXghHa0f4FyUrT8xu9rhneaEgi8X30GSv +Mw40I2+B93J7mEO+C+lENRFuYs9L97+dSWGu9AHL8LWhsfpLSYnWWDDtQltQOrqM +vAse1wU0MIA1Iw8Br1OLQihU59aOajTyD64mM+8CgYEA/yI97ttCtjC0na9dIA5C +vA7iwxkiicI2ilRTsJ9eqMjQT5nfiYiY6xdn+qWJDX+FxY3m9Uv4XURfbWXw4cg9 +KKE9jqeOH1FCC898+M/Ufw0WhR+4l0s0mfjoGYVMW6MAVXzDoyjimFbdPhJsIp15 +xXvulBY7liTTpts0NcU+WucCgYB12mCc1v1tt8wkqXvBkENlqtRNTCayOyyt1wfH +FkBLaevII0urrQG520j/GGAshpOAgafp2zbQT2siYuewFXXaxlYn5e6nFkOOuVVQ +vYUHsg+upqUQ9nfEs3T/HLkBFXYmNipGDnstIHwS+c1M/lCHrrdn+BeauzjGSmK+ +I4oRAQKBgDGpTNqPmjwaFxsLk6pCUB5FnIfnRraX9AsHjNJJlZbBeVjrmyxGEBHH +QMeoq6Ho8SCvqx0AbGKBdXUvjCLnjOfpG6zlXNqev1bjAOl6kp/+ENs5epm1VWIA +MlLqUHyNNMBho+hPF+cqMyL6N2ltkiyvLretLprcfnt97IB5kllr +-----END RSA PRIVATE KEY----- diff --git a/tls/conf.d/my.cnf b/tls/conf.d/my.cnf new file mode 100644 index 0000000..44d76e5 --- /dev/null +++ b/tls/conf.d/my.cnf @@ -0,0 +1,4 @@ +[mysqld] +ssl-ca=/etc/mysql/cert/ca.pem +ssl-cert=/etc/mysql/cert/server-cert.pem +ssl-key=/etc/mysql/cert/server-key.pem \ No newline at end of file