[enhancement](mysql) enable two-way ssl authentication (#18530)

According to the mysql-ssl, enable two-way SSL authentication.

.licenserc.yaml

@@ -80,6 +80,11 @@ header:
     - "docker/thirdparties/docker-compose/hive/scripts/create_tpch1_parquet.hql"
     - "docker/thirdparties/docker-compose/hive/scripts/preinstalled_data/"
     - "docker/thirdparties/docker-compose/iceberg/spark-defaults.conf.tpl"
+    - "conf/mysql_ssl_default_certificate/*"
+    - "conf/mysql_ssl_default_certificate/client_certificate/ca.pem"
+    - "conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem"
+    - "conf/mysql_ssl_default_certificate/client_certificate/client-key.pem"
+    - "regression-test/ssl_default_certificate/*"
     - "extension/beats/go.mod"
     - "extension/beats/go.sum"
 

conf/mysql_ssl_default_certificate/README.md

@@ -0,0 +1 @@
+All certificates in this directory are generated by default and cannot be used in a production environment. The certificates in the ```./client_certificate``` are used to verify the identity of the client. For more details, refer to ```docs/en/docs/admin-manual/certificate.md```

conf/mysql_ssl_default_certificate/client_certificate/ca.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC
+ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM
+BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y
+MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G
+A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx
+DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU
+ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU
+EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g
+k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO
+LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo
+IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF
+S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP
+Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57
+ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap
+V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz
+QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9
+MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk
+RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ
+iN+q
+-----END CERTIFICATE-----

conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD
+VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO
+MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk
+ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1
+MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH
+QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD
+DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI
++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv
+c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD
+M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z
++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ
+L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd
+YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ
+bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw
+X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs
+K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL
+5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s
+-----END CERTIFICATE-----

conf/mysql_ssl_default_certificate/client_certificate/client-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM
+bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk
+ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb
+QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l
+OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn
+DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl
+b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h
+bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1
+xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99
+lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+
+BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB
+HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x
+CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX
+iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst
+MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo
+geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue
+xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0
+4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh
+FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc
+uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7
+/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2
+Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY
+wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM
+20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL
+ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg==
+-----END RSA PRIVATE KEY-----

docs/en/docs/admin-manual/certificate.md

@@ -26,32 +26,52 @@ under the License.
 
 # Key Certificate Configuration
 
-Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`.
+Enabling SSL functionality in Doris requires configuring both a CA key certificate and a server-side key certificate. To enable mutual authentication, a client-side key certificate must also be generated:
+
+* The default CA key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default password of `doris`. You can modify the FE configuration file `conf/fe.conf` to add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change the CA key certificate file. You can also add `mysql_ssl_default_ca_certificate_password = your_password` to specify the password for your custom key certificate file.
+* The default server-side key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`, with a default password of `doris`. You can modify the FE configuration file `conf/fe.conf` to add `mysql_ssl_default_server_certificate = /path/to/your/certificate` to change the server-side key certificate file. You can also add `mysql_ssl_default_server_certificate_password = your_password` to specify the password for your custom key certificate file.
+* By default, a client-side key certificate is also generated and stored in `Doris/fe/mysql_ssl_default_certificate/client-key.pem` and `Doris/fe/mysql_ssl_default_certificate/client_certificate/`.
 
 ## Custom key certificate file
 
-In addition to the Doris default certificate file, you can also generate a custom certificate file through `openssl`. Proceed as follows:
+In addition to the Doris default certificate file, you can also generate a custom certificate file through `openssl`. Here are the steps (refer to [Creating SSL Certificates and Keys Using OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)):
 
-1. Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
+1. Generate the CA, server-side, and client-side keys and certificates:
 ```bash
-openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# Generate the CA certificate
+openssl genrsa 2048 > ca-key.pem
+openssl req -new -x509 -nodes -days 3600 \
+        -key ca-key.pem -out ca.pem
+
+# Generate the server certificate and sign it with the above CA
+# server-cert.pem = public key, server-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+
+# Generate the client certificate and sign it with the above CA
+# client-cert.pem = public key, client-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
 ```
 
-2. Review the created certificate.
+2. Verify the created certificates:
 ```bash
-openssl x509 -text -noout -in certificate.pem
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
 ```
 
 3. Combine your key and certificate in a PKCS#12 (P12) bundle.
 ```bash
-openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
-```
+# Package the CA key and certificate
+openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
 
-4. Validate your P2 file.
-```bash
-openssl pkcs12 -in certificate.p12 -noout -info
+# Package the server-side key and certificate
+openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12
 ```
 
-After completing these operations, you can get the certificate.p12 file.
-
 >[reference documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)

docs/en/docs/get-starting/get-starting.md

@@ -164,7 +164,7 @@ ReplayedJournalId: 49292
 Doris supports SSL-based encrypted connections. It currently supports TLS1.2 and TLS1.3 protocols. Doris' SSL mode can be enabled through the following configuration:
 Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
 
-Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+Next, connect to Doris through `mysql` client, mysql supports five SSL modes:
 
 1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL encrypted connection at the beginning, if it fails , a normal connection is attempted.
 
@@ -172,12 +172,14 @@ Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
 
 3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connections.
 
+4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection and verify the validity of the server's identity by specifying the CA certificate。
+
+5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection, two-way ssl。
+
 >Note:
 >`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to [here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html) for mysql client version lower than this version。
 
-Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`.
-
-For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。
+Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/`. For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。
 
 #### Stop FE
 

docs/zh-CN/docs/admin-manual/certificate.md

@@ -26,36 +26,53 @@ under the License.
 
 # SSL密钥证书配置
 
-Doris开启SSL功能需要配置密钥证书，默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件，同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。
+Doris开启SSL功能需要配置CA密钥证书和Server端密钥证书，如需开启双向认证，还需生成Client端密钥证书：
+* 默认的CA密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_ca_certificate = /path/to/your/certificate`修改CA密钥证书文件，同时也可以通过`mysql_ssl_default_ca_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。
+* 默认的Server端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_server_certificate = /path/to/your/certificate`修改Server端密钥证书文件，同时也可以通过`mysql_ssl_default_server_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。
+* 默认生成了一份Client端的密钥证书，分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。
 
 ## 自定义密钥证书文件
 
-除了Doris默认的证书文件，您也可以通过`openssl`生成自定义的证书文件。步骤如下：
+除了Doris默认的证书文件，您也可以通过`openssl`生成自定义的证书文件。步骤参考[mysql生成ssl证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)
+具体如下：
+1. 生成CA、Server端和Client端的密钥和证书
+```
+# 生成CA certificate
+openssl genrsa 2048 > ca-key.pem
+openssl req -new -x509 -nodes -days 3600 \
+        -key ca-key.pem -out ca.pem
 
-1.运行以下OpenSSL命令以生成您的私钥和公共证书，回答问题并在出现提示时输入答案。
+# 生成server certificate, 并用上述CA签名
+# server-cert.pem = public key, server-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
 
-```bash
-openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# 生成client certificate, 并用上述CA签名
+# client-cert.pem = public key, client-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
 ```
 
-2.查看创建的证书。
+2.验证创建的证书。
 
 ```bash
-openssl x509 -text -noout -in certificate.pem
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
 ```
 
-3.将您的密钥和证书合并到 PKCS#12 (P12) 包中。
+3.将您的CA密钥和证书和Sever端密钥和证书分别合并到 PKCS#12 (P12) 包中。
 
 ```bash
- openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
+# 打包CA密钥和证书
+openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
+
+# 打包Server端密钥和证书
+openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12
 ```
 
-4.验证您的P12文件。
-
-```bash
-openssl pkcs12 -in certificate.p12 -noout -info
-```
-
-完成这些操作后即可得到certificate.p12文件。
-
 >[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)

docs/zh-CN/docs/get-starting/get-starting.md

@@ -168,7 +168,7 @@ ReplayedJournalId: 49292
 Doris支持基于SSL的加密连接，当前支持TLS1.2，TLS1.3协议，可以通过以下配置开启Doris的SSL模式：
 修改FE配置文件`conf/fe.conf`，添加`enable_ssl = true`即可。
 
-接下来通过`mysql`客户端连接Doris，mysql支持三种SSL模式：
+接下来通过`mysql`客户端连接Doris，mysql支持五种SSL模式：
 
 1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`一样，都是一开始试图建立SSL加密连接，如果失败，则尝试使用普通连接。
 
@@ -176,12 +176,15 @@ Doris支持基于SSL的加密连接，当前支持TLS1.2，TLS1.3协议，可以
 
 3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`，强制使用SSL加密连接。
 
+4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`，强制使用SSL加密连接，并且通过指定CA证书验证服务端身份是否有效。
+
+5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`，强制使用SSL加密连接，双向验证。
+
+
 >注意：
 >`--ssl-mode`参数是mysql5.7.11版本引入的，低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
 
-Doris开启SSL加密连接需要密钥证书文件验证，默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件，同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥书文件的密码。
-
-密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。
+Doris开启SSL加密连接需要密钥证书文件验证，默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/`下。密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。
 
 #### 停止 FE 节点
 

fe/fe-common/src/main/java/org/apache/doris/common/Config.java

@@ -2043,17 +2043,36 @@ public class Config extends ConfigBase {
     public static boolean enable_ssl = true;
 
     /**
-     * Default certificate file location for mysql ssl connection.
+     * If set to ture, ssl connection needs to authenticate client's certificate.
      */
     @ConfField(mutable = false, masterOnly = false)
-    public static String mysql_ssl_default_certificate = System.getenv("DORIS_HOME")
-            + "/mysql_ssl_default_certificate/certificate.p12";
+    public static boolean ssl_force_client_auth = false;
 
     /**
-     * Password for default certificate file.
+     * Default CA certificate file location for mysql ssl connection.
      */
     @ConfField(mutable = false, masterOnly = false)
-    public static String mysql_ssl_default_certificate_password = "doris";
+    public static String mysql_ssl_default_ca_certificate = System.getenv("DORIS_HOME")
+            + "/mysql_ssl_default_certificate/ca_certificate.p12";
+
+    /**
+     * Default server certificate file location for mysql ssl connection.
+     */
+    @ConfField(mutable = false, masterOnly = false)
+    public static String mysql_ssl_default_server_certificate = System.getenv("DORIS_HOME")
+            + "/mysql_ssl_default_certificate/server_certificate.p12";
+
+    /**
+     * Password for default CA certificate file.
+     */
+    @ConfField(mutable = false, masterOnly = false)
+    public static String mysql_ssl_default_ca_certificate_password = "doris";
+
+    /**
+     * Password for default CA certificate file.
+     */
+    @ConfField(mutable = false, masterOnly = false)
+    public static String mysql_ssl_default_server_certificate_password = "doris";
 
     /**
      * Used to set session variables randomly to check more issues in github workflow

fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java

@@ -47,9 +47,10 @@ public class MysqlSslContext {
     private SSLContext sslContext;
     private String protocol;
     private ByteBuffer serverAppData;
-    private static final String keyStoreFile = Config.mysql_ssl_default_certificate;
-    private static final String trustStoreFile = Config.mysql_ssl_default_certificate;
-    private static final String certificatePassword = Config.mysql_ssl_default_certificate_password;
+    private static final String keyStoreFile = Config.mysql_ssl_default_server_certificate;
+    private static final String trustStoreFile = Config.mysql_ssl_default_ca_certificate;
+    private static final String caCertificatePassword = Config.mysql_ssl_default_ca_certificate_password;
+    private static final String serverCertificatePassword = Config.mysql_ssl_default_server_certificate_password;
     private ByteBuffer serverNetData;
     private ByteBuffer clientAppData;
     private ByteBuffer clientNetData;
@@ -68,13 +69,14 @@ public class MysqlSslContext {
             KeyStore ks = KeyStore.getInstance("PKCS12");
             KeyStore ts = KeyStore.getInstance("PKCS12");
 
-            char[] password = certificatePassword.toCharArray();
+            char[] serverPassword = serverCertificatePassword.toCharArray();
+            char[] caPassword = caCertificatePassword.toCharArray();
 
-            ks.load(Files.newInputStream(Paths.get(keyStoreFile)), password);
-            ts.load(Files.newInputStream(Paths.get(trustStoreFile)), password);
+            ks.load(Files.newInputStream(Paths.get(keyStoreFile)), serverPassword);
+            ts.load(Files.newInputStream(Paths.get(trustStoreFile)), caPassword);
 
             KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(ks, password);
+            kmf.init(ks, serverPassword);
 
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             tmf.init(ts);
@@ -91,6 +93,10 @@ public class MysqlSslContext {
         // set to server mode
         sslEngine.setUseClientMode(false);
         sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
+        sslEngine.setWantClientAuth(true);
+        if (Config.ssl_force_client_auth) {
+            sslEngine.setNeedClientAuth(true);
+        }
     }
 
     public SSLEngine getSslEngine() {

regression-test/conf/regression-conf.groovy

@@ -38,6 +38,7 @@ suitePath = "${DORIS_HOME}/regression-test/suites"
 dataPath = "${DORIS_HOME}/regression-test/data"
 pluginPath = "${DORIS_HOME}/regression-test/plugins"
 realDataPath = "${DORIS_HOME}/regression-test/realdata"
+sslCertificatePath = "${DORIS_HOME}/regression-test/ssl_default_certificate"
 
 // will test <group>/<suite>.groovy
 // empty group will test all group

regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy

@@ -53,6 +53,7 @@ class Config {
     public String realDataPath
     public String cacheDataPath
     public String pluginPath
+    public String sslCertificatePath
 
     public String testGroups
     public String excludeGroups
@@ -90,7 +91,7 @@ class Config {
            String feHttpAddress, String feHttpUser, String feHttpPassword, String metaServiceHttpAddress,
            String suitePath, String dataPath, String realDataPath, String cacheDataPath,
            String testGroups, String excludeGroups, String testSuites, String excludeSuites,
-           String testDirectories, String excludeDirectories, String pluginPath) {
+           String testDirectories, String excludeDirectories, String pluginPath, String sslCertificatePath) {
         this.defaultDb = defaultDb
         this.jdbcUrl = jdbcUrl
         this.jdbcUser = jdbcUser
@@ -110,6 +111,7 @@ class Config {
         this.testDirectories = testDirectories
         this.excludeDirectories = excludeDirectories
         this.pluginPath = pluginPath
+        this.sslCertificatePath = sslCertificatePath
     }
 
     static Config fromCommandLine(CommandLine cmd) {
@@ -137,6 +139,7 @@ class Config {
         config.realDataPath = FileUtils.getCanonicalPath(cmd.getOptionValue(realDataOpt, config.realDataPath))
         config.cacheDataPath = cmd.getOptionValue(cacheDataOpt, config.cacheDataPath)
         config.pluginPath = FileUtils.getCanonicalPath(cmd.getOptionValue(pluginOpt, config.pluginPath))
+        config.sslCertificatePath = FileUtils.getCanonicalPath(cmd.getOptionValue(sslCertificateOpt, config.sslCertificatePath))
         config.suiteWildcard = cmd.getOptionValue(suiteOpt, config.testSuites)
                 .split(",")
                 .collect({s -> s.trim()})
@@ -244,7 +247,8 @@ class Config {
             configToString(obj.excludeSuites),
             configToString(obj.testDirectories),
             configToString(obj.excludeDirectories),
-            configToString(obj.pluginPath)
+            configToString(obj.pluginPath),
+            configToString(obj.sslCertificatePath)
         )
 
         def declareFileNames = config.getClass()
@@ -327,6 +331,11 @@ class Config {
             log.info("Set dataPath to '${config.pluginPath}' because not specify.".toString())
         }
 
+        if (config.sslCertificatePath == null) {
+            config.sslCertificatePath = "regression-test/ssl_default_certificate"
+            log.info("Set sslCertificatePath to '${config.sslCertificatePath}' because not specify.".toString())
+        }
+
         if (config.testGroups == null) {
             config.testGroups = "default"
             log.info("Set testGroups to '${config.testGroups}' because not specify.".toString())
@@ -491,10 +500,7 @@ class Config {
         String useSslConfig = "verifyServerCertificate=false&useSSL=" + useSsl + "&requireSSL=false"
         String tlsVersion = "TLSv1.2"
         String tlsVersionConfig = "&enabledTLSProtocols=" + tlsVersion
-        String keyStoreFile = "file:regression-test/certificate.p12"
-        String keyStoreFileConfig = "&trustCertificateKeyStoreUrl=" + keyStoreFile + "&clientCertificateKeyStoreUrl=" + keyStoreFile
-        String password = "&trustCertificateKeyStorePassword=doris&clientCertificateKeyStorePassword=doris"
-        String sslUrl = useSslConfig + tlsVersionConfig + keyStoreFileConfig + password
+        String sslUrl = useSslConfig + tlsVersionConfig
         // e.g: jdbc:mysql://locahost:8080/dbname?
         if (url.charAt(url.length() - 1) == '?') {
             return url + sslUrl

regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy

@@ -41,6 +41,7 @@ class ConfigOptions {
     static Option realDataOpt
     static Option cacheDataOpt
     static Option pluginOpt
+    static Option sslCertificateOpt
     static Option suiteOpt
     static Option excludeSuiteOpt
     static Option groupsOpt
@@ -148,6 +149,16 @@ class ConfigOptions {
                 .longOpt("plugin")
                 .desc("the plugin path")
                 .build()
+
+        sslCertificateOpt = Option.builder("ssl")
+                .argName("sslCertificatePath")
+                .required(false)
+                .hasArg(true)
+                .type(String.class)
+                .longOpt("sslCertificatePath")
+                .desc("the sslCertificate path")
+                .build() 
+
         suiteOpt = Option.builder("s")
                 .argName("suiteName")
                 .required(false)
@@ -316,6 +327,7 @@ class ConfigOptions {
                 .addOption(pathOpt)
                 .addOption(dataOpt)
                 .addOption(pluginOpt)
+                .addOption(sslCertificateOpt)
                 .addOption(confOpt)
                 .addOption(suiteOpt)
                 .addOption(excludeSuiteOpt)

regression-test/ssl_default_certificate/ca.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC
+ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM
+BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y
+MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G
+A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx
+DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU
+ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU
+EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g
+k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO
+LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo
+IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF
+S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP
+Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57
+ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap
+V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz
+QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9
+MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk
+RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ
+iN+q
+-----END CERTIFICATE-----

regression-test/ssl_default_certificate/client-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD
+VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO
+MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk
+ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1
+MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH
+QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD
+DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI
++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv
+c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD
+M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z
++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ
+L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd
+YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ
+bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw
+X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs
+K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL
+5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s
+-----END CERTIFICATE-----

regression-test/ssl_default_certificate/client-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM
+bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk
+ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb
+QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l
+OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn
+DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl
+b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h
+bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1
+xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99
+lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+
+BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB
+HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x
+CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX
+iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst
+MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo
+geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue
+xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0
+4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh
+FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc
+uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7
+/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2
+Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY
+wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM
+20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL
+ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg==
+-----END RSA PRIVATE KEY-----

regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy

@@ -14,6 +14,7 @@
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
+import org.apache.doris.regression.Config
 
 suite("test_mysql_connection") { suite ->
     // NOTE: this suite need you install mysql client 5.7 + to support --ssl-mode parameter
@@ -39,10 +40,20 @@ suite("test_mysql_connection") { suite ->
     String cmdDefault = "mysql -uroot -h" + mysqlHost + " -P" + mysqlPort + " -e \"show variables\"";
     String cmdDisabledSsl = "mysql --ssl-mode=DISABLE -uroot -h" + mysqlHost + " -P" + mysqlPort + " -e \"show variables\"";
     String cmdSsl12 = "mysql --ssl-mode=REQUIRED -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\"";
+    // client verifies server certificate
+    String cmdv1 = "mysql --ssl-mode=VERIFY_CA --ssl-ca=" + context.config.sslCertificatePath + "/ca.pem -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\"";
+    
+    // two-way ssl auth (client and server both verify their respective certificates)
+    String cmdv2 = "mysql --ssl-mode=VERIFY_CA --ssl-ca=" + context.config.sslCertificatePath + "/ca.pem \
+                    --ssl-cert=" + context.config.sslCertificatePath + "/client-cert.pem \
+                    --ssl-key=" + context.config.sslCertificatePath + "/client-key.pem -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\"";
+
     // The current mysql-client version of the test environment is 5.7.32, which does not support TLSv1.3, so comment this part.
     // String cmdSsl13 = "mysql --ssl-mode=REQUIRED -uroot -h" + mysqlHost + " -P" + mysqlPort +  " --tls-version=TLSv1.3 -e \"show variables\"";
     executeMySQLCommand(cmdDefault);
     executeMySQLCommand(cmdDisabledSsl);
     executeMySQLCommand(cmdSsl12);
     // executeMySQLCommand(cmdSsl13);
+    executeMySQLCommand(cmdv1);
+    executeMySQLCommand(cmdv2);
 }