[enhancement](mysql) enable two-way ssl authentication (apache#18530)

According to the mysql-ssl, enable two-way SSL authentication.

.licenserc.yaml

@@ -80,6 +80,11 @@ header:
     - "docker/thirdparties/docker-compose/hive/scripts/create_tpch1_parquet.hql"
     - "docker/thirdparties/docker-compose/hive/scripts/preinstalled_data/"
     - "docker/thirdparties/docker-compose/iceberg/spark-defaults.conf.tpl"
+    - "conf/mysql_ssl_default_certificate/*"
+    - "conf/mysql_ssl_default_certificate/client_certificate/ca.pem"
+    - "conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem"
+    - "conf/mysql_ssl_default_certificate/client_certificate/client-key.pem"
+    - "regression-test/ssl_default_certificate/*"
     - "extension/beats/go.mod"
     - "extension/beats/go.sum"
 

conf/mysql_ssl_default_certificate/README.md

@@ -0,0 +1 @@
+All certificates in this directory are generated by default and cannot be used in a production environment. The certificates in the ```./client_certificate``` are used to verify the identity of the client. For more details, refer to ```docs/en/docs/admin-manual/certificate.md```

conf/mysql_ssl_default_certificate/client_certificate/ca.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC
+ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM
+BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y
+MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G
+A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx
+DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU
+ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU
+EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g
+k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO
+LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo
+IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF
+S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP
+Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57
+ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap
+V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz
+QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9
+MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk
+RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ
+iN+q
+-----END CERTIFICATE-----

conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD
+VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO
+MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk
+ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1
+MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH
+QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD
+DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI
++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv
+c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD
+M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z
++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ
+L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd
+YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ
+bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw
+X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs
+K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL
+5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s
+-----END CERTIFICATE-----

conf/mysql_ssl_default_certificate/client_certificate/client-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM
+bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk
+ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb
+QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l
+OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn
+DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl
+b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h
+bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1
+xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99
+lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+
+BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB
+HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x
+CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX
+iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst
+MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo
+geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue
+xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0
+4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh
+FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc
+uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7
+/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2
+Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY
+wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM
+20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL
+ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg==
+-----END RSA PRIVATE KEY-----

docs/en/docs/admin-manual/certificate.md

@@ -26,32 +26,52 @@ under the License.
 
 # Key Certificate Configuration
 
-Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`.
+Enabling SSL functionality in Doris requires configuring both a CA key certificate and a server-side key certificate. To enable mutual authentication, a client-side key certificate must also be generated:
+
+* The default CA key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default password of `doris`. You can modify the FE configuration file `conf/fe.conf` to add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change the CA key certificate file. You can also add `mysql_ssl_default_ca_certificate_password = your_password` to specify the password for your custom key certificate file.
+* The default server-side key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`, with a default password of `doris`. You can modify the FE configuration file `conf/fe.conf` to add `mysql_ssl_default_server_certificate = /path/to/your/certificate` to change the server-side key certificate file. You can also add `mysql_ssl_default_server_certificate_password = your_password` to specify the password for your custom key certificate file.
+* By default, a client-side key certificate is also generated and stored in `Doris/fe/mysql_ssl_default_certificate/client-key.pem` and `Doris/fe/mysql_ssl_default_certificate/client_certificate/`.
 
 ## Custom key certificate file
 
-In addition to the Doris default certificate file, you can also generate a custom certificate file through `openssl`. Proceed as follows:
+In addition to the Doris default certificate file, you can also generate a custom certificate file through `openssl`. Here are the steps (refer to [Creating SSL Certificates and Keys Using OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)):
 
-1. Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
+1. Generate the CA, server-side, and client-side keys and certificates:
 ```bash
-openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# Generate the CA certificate
+openssl genrsa 2048 > ca-key.pem
+openssl req -new -x509 -nodes -days 3600 \
+        -key ca-key.pem -out ca.pem
+
+# Generate the server certificate and sign it with the above CA
+# server-cert.pem = public key, server-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+
+# Generate the client certificate and sign it with the above CA
+# client-cert.pem = public key, client-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
 ```
 
-2. Review the created certificate.
+2. Verify the created certificates:
 ```bash
-openssl x509 -text -noout -in certificate.pem
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
 ```
 
 3. Combine your key and certificate in a PKCS#12 (P12) bundle.
 ```bash
-openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
-```
+# Package the CA key and certificate
+openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
 
-4. Validate your P2 file.
-```bash
-openssl pkcs12 -in certificate.p12 -noout -info
+# Package the server-side key and certificate
+openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12
 ```
 
-After completing these operations, you can get the certificate.p12 file.
-
 >[reference documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)

docs/en/docs/get-starting/get-starting.md

@@ -164,20 +164,22 @@ ReplayedJournalId: 49292
 Doris supports SSL-based encrypted connections. It currently supports TLS1.2 and TLS1.3 protocols. Doris' SSL mode can be enabled through the following configuration:
 Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
 
-Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+Next, connect to Doris through `mysql` client, mysql supports five SSL modes:
 
 1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL encrypted connection at the beginning, if it fails , a normal connection is attempted.
 
 2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL encrypted connection, use normal connection directly.
 
 3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connections.
 
+4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection and verify the validity of the server's identity by specifying the CA certificate。
+
+5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection, two-way ssl。
+
 >Note:
 >`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to [here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html) for mysql client version lower than this version。
 
-Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`.
-
-For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。
+Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/`. For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。
 
 #### Stop FE
 

docs/zh-CN/docs/admin-manual/certificate.md

@@ -26,36 +26,53 @@ under the License.
 
 # SSL密钥证书配置
 
-Doris开启SSL功能需要配置密钥证书，默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件，同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。
+Doris开启SSL功能需要配置CA密钥证书和Server端密钥证书，如需开启双向认证，还需生成Client端密钥证书：
+* 默认的CA密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_ca_certificate = /path/to/your/certificate`修改CA密钥证书文件，同时也可以通过`mysql_ssl_default_ca_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。
+* 默认的Server端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_server_certificate = /path/to/your/certificate`修改Server端密钥证书文件，同时也可以通过`mysql_ssl_default_server_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。
+* 默认生成了一份Client端的密钥证书，分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。
 
 ## 自定义密钥证书文件
 
-除了Doris默认的证书文件，您也可以通过`openssl`生成自定义的证书文件。步骤如下：
-
-1.运行以下OpenSSL命令以生成您的私钥和公共证书，回答问题并在出现提示时输入答案。
-
-```bash
-openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+除了Doris默认的证书文件，您也可以通过`openssl`生成自定义的证书文件。步骤参考[mysql生成ssl证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)
+具体如下：
+1. 生成CA、Server端和Client端的密钥和证书
 ```
-
-2.查看创建的证书。
-
-```bash
-openssl x509 -text -noout -in certificate.pem
+# 生成CA certificate
+openssl genrsa 2048 > ca-key.pem
+openssl req -new -x509 -nodes -days 3600 \
+        -key ca-key.pem -out ca.pem
+
+# 生成server certificate, 并用上述CA签名
+# server-cert.pem = public key, server-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout server-key.pem -out server-req.pem
+openssl rsa -in server-key.pem -out server-key.pem
+openssl x509 -req -in server-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+
+# 生成client certificate, 并用上述CA签名
+# client-cert.pem = public key, client-key.pem = private key
+openssl req -newkey rsa:2048 -days 3600 \
+        -nodes -keyout client-key.pem -out client-req.pem
+openssl rsa -in client-key.pem -out client-key.pem
+openssl x509 -req -in client-req.pem -days 3600 \
+        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
 ```
 
-3.将您的密钥和证书合并到 PKCS#12 (P12) 包中。
+2.验证创建的证书。
 
 ```bash
- openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
+openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
 ```
 
-4.验证您的P12文件。
+3.将您的CA密钥和证书和Sever端密钥和证书分别合并到 PKCS#12 (P12) 包中。
 
 ```bash
-openssl pkcs12 -in certificate.p12 -noout -info
-```
+# 打包CA密钥和证书
+openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
 
-完成这些操作后即可得到certificate.p12文件。
+# 打包Server端密钥和证书
+openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12
+```
 
 >[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)

docs/zh-CN/docs/get-starting/get-starting.md

@@ -168,20 +168,23 @@ ReplayedJournalId: 49292
 Doris支持基于SSL的加密连接，当前支持TLS1.2，TLS1.3协议，可以通过以下配置开启Doris的SSL模式：
 修改FE配置文件`conf/fe.conf`，添加`enable_ssl = true`即可。
 
-接下来通过`mysql`客户端连接Doris，mysql支持三种SSL模式：
+接下来通过`mysql`客户端连接Doris，mysql支持五种SSL模式：
 
 1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`一样，都是一开始试图建立SSL加密连接，如果失败，则尝试使用普通连接。
 
 2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`，不使用SSL加密连接，直接使用普通连接。
 
 3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`，强制使用SSL加密连接。
 
+4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`，强制使用SSL加密连接，并且通过指定CA证书验证服务端身份是否有效。
+
+5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`，强制使用SSL加密连接，双向验证。
+
+
 >注意：
 >`--ssl-mode`参数是mysql5.7.11版本引入的，低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
 
-Doris开启SSL加密连接需要密钥证书文件验证，默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`，默认密码为`doris`，您可以通过修改FE配置文件`conf/fe.conf`，添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件，同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥书文件的密码。
-
-密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。
+Doris开启SSL加密连接需要密钥证书文件验证，默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/`下。密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。
 
 #### 停止 FE 节点