在 go 中使用 ssl 和证书连接到 mysql/mariadb
Connect to mysql/mariadb with ssl and certs in go
有很多关于如何在只需要用户名和密码时使用 go/golang 连接到 mariadb/mysql 数据库的示例。但是我还没有找到客户端需要证书 (TLS/SSL) 才能连接的简单示例。
这适用于普通连接
package main
import (
"database/sql"
"fmt"
"log"
_ "github.com/go-sql-driver/mysql"
)
// Test that db is usable
// prints current date & time to stdout
func queryDB(db *sql.DB) {
// Query the database
var result string
err := db.QueryRow("SELECT NOW()").Scan(&result)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
}
func main() {
// generate connection string
cs := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s", "username", "password", "dbHost", "dbPort", "database")
db, err := sql.Open("mysql", cs)
if err != nil {
log.Printf("Error %s when opening DB\n", err)
log.Printf("%s", cs)
return
}
defer db.Close()
e := db.Ping()
fmt.Println(cs, e)
queryDB(db)
}
但是如果客户端需要证书才能连接,我应该把这些信息放在哪里?
在我的 my.cnf 中是这些行:
[mysql]
## MySQL Client Configuration ##
ssl-ca=cert/ca-cert.pem
ssl-cert=cert/client-cert.pem
ssl-key=cert/client-key.pem
为了能够使用证书进行身份验证,您必须创建 tls.Config,然后执行 mysql.RegisterTLSConfig("custom", &tlsConf) 并将 "?tsl=custom" 添加到连接字符串。
其中 tls 来自 "crypto/tls" 而 mysql 来自 "github.com/go-sql-driver/mysql"
一个工作示例:
package main
import (
"crypto/tls"
"crypto/x509"
"database/sql"
"fmt"
"io/ioutil"
"log"
"github.com/go-sql-driver/mysql"
_ "github.com/go-sql-driver/mysql"
)
// path to cert-files hard coded
// Most of this is copy pasted from the internet
// and used without much reflection
func createTLSConf() tls.Config {
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("cert/ca-cert.pem")
if err != nil {
log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
log.Fatal("Failed to append PEM.")
}
clientCert := make([]tls.Certificate, 0, 1)
certs, err := tls.LoadX509KeyPair("cert/client-cert.pem", "cert/client-key.pem")
if err != nil {
log.Fatal(err)
}
clientCert = append(clientCert, certs)
return tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
InsecureSkipVerify: true, // needed for self signed certs
}
}
// Test that db is usable
// prints version to stdout
func queryDB(db *sql.DB) {
// Query the database
var result string
err := db.QueryRow("SELECT NOW()").Scan(&result)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
}
func main() {
// When I realized that the tls/ssl/cert thing was handled separately
// it became easier, the following two lines are the important bit
tlsConf := createTLSConf()
err := mysql.RegisterTLSConfig("custom", &tlsConf)
if err != nil {
log.Printf("Error %s when RegisterTLSConfig\n", err)
return
}
// connection string (dataSourceName) is slightly different
dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?tls=custom", "username", "password", "dbHost", "dbPort", "database")
db1, err := sql.Open("mysql", dsn)
if err != nil {
log.Printf("Error %s when opening DB\n", err)
log.Printf("%s", dsn)
return
}
defer db1.Close()
e := db1.Ping()
fmt.Println(dsn, e)
queryDB(db1)
}
有很多关于如何在只需要用户名和密码时使用 go/golang 连接到 mariadb/mysql 数据库的示例。但是我还没有找到客户端需要证书 (TLS/SSL) 才能连接的简单示例。
这适用于普通连接
package main
import (
"database/sql"
"fmt"
"log"
_ "github.com/go-sql-driver/mysql"
)
// Test that db is usable
// prints current date & time to stdout
func queryDB(db *sql.DB) {
// Query the database
var result string
err := db.QueryRow("SELECT NOW()").Scan(&result)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
}
func main() {
// generate connection string
cs := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s", "username", "password", "dbHost", "dbPort", "database")
db, err := sql.Open("mysql", cs)
if err != nil {
log.Printf("Error %s when opening DB\n", err)
log.Printf("%s", cs)
return
}
defer db.Close()
e := db.Ping()
fmt.Println(cs, e)
queryDB(db)
}
但是如果客户端需要证书才能连接,我应该把这些信息放在哪里?
在我的 my.cnf 中是这些行:
[mysql]
## MySQL Client Configuration ##
ssl-ca=cert/ca-cert.pem
ssl-cert=cert/client-cert.pem
ssl-key=cert/client-key.pem
为了能够使用证书进行身份验证,您必须创建 tls.Config,然后执行 mysql.RegisterTLSConfig("custom", &tlsConf) 并将 "?tsl=custom" 添加到连接字符串。
其中 tls 来自 "crypto/tls" 而 mysql 来自 "github.com/go-sql-driver/mysql"
一个工作示例:
package main
import (
"crypto/tls"
"crypto/x509"
"database/sql"
"fmt"
"io/ioutil"
"log"
"github.com/go-sql-driver/mysql"
_ "github.com/go-sql-driver/mysql"
)
// path to cert-files hard coded
// Most of this is copy pasted from the internet
// and used without much reflection
func createTLSConf() tls.Config {
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("cert/ca-cert.pem")
if err != nil {
log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
log.Fatal("Failed to append PEM.")
}
clientCert := make([]tls.Certificate, 0, 1)
certs, err := tls.LoadX509KeyPair("cert/client-cert.pem", "cert/client-key.pem")
if err != nil {
log.Fatal(err)
}
clientCert = append(clientCert, certs)
return tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
InsecureSkipVerify: true, // needed for self signed certs
}
}
// Test that db is usable
// prints version to stdout
func queryDB(db *sql.DB) {
// Query the database
var result string
err := db.QueryRow("SELECT NOW()").Scan(&result)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
}
func main() {
// When I realized that the tls/ssl/cert thing was handled separately
// it became easier, the following two lines are the important bit
tlsConf := createTLSConf()
err := mysql.RegisterTLSConfig("custom", &tlsConf)
if err != nil {
log.Printf("Error %s when RegisterTLSConfig\n", err)
return
}
// connection string (dataSourceName) is slightly different
dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?tls=custom", "username", "password", "dbHost", "dbPort", "database")
db1, err := sql.Open("mysql", dsn)
if err != nil {
log.Printf("Error %s when opening DB\n", err)
log.Printf("%s", dsn)
return
}
defer db1.Close()
e := db1.Ping()
fmt.Println(dsn, e)
queryDB(db1)
}