Bug #12875 SSL grant option error (CN used instead of certificate subject)
Submitted: 30 Aug 2005 10:51 Modified: 1 Feb 2006 8:09
Reporter: [ name withheld ] (Basic Quality Contributor) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.11-beta-nt OS:Windows (Windows XP sp2)
Assigned to: CPU Architecture:Any

[30 Aug 2005 10:51] [ name withheld ]
Description:
When granting a user the X509_certificate SSL related option MySQL server uses the certificate's CN as the subject, instead of the certificate's real subject.

How to repeat:
mysql> select version();
+----------------+
| version()      |
+----------------+
| 5.0.11-beta-nt |
+----------------+
1 row in set (0.03 sec)

mysql> show variables like '%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+
1 row in set (0.00 sec)

mysql> grant select on test.* to 'pippo1'@'localhost' identified by 'pippo1' req
uire subject '/E=client_cert@myca.com/CN=client_cert/OU=pippo/O=pippopippo/L=torin
o/S=italy/C=it';
Query OK, 0 rows affected (0.02 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)

mysql>

The connection is unsuccessful:

C:\Documents and Settings\pippo>mysql -upippo1 -ppippo1
ERROR 1045 (28000): Access denied for user 'pippo1'@'localhost' (using password:
 YES)

And in the error log i read:

050830 12:48:30 [Note] X509 subject mismatch: '/E=client_cert@myca.com/CN=client_cert/OU=pippo/O=pippopippo/L=torino/S=italy/C=it' vs 'client_cert'
[31 Aug 2005 16:10] Jorge del Conde
Verified w/5.0.11
[31 Aug 2005 18:13] Jorge del Conde
Tested w/5.0.12 from bk too
[31 Jan 2006 18:52] Jorge del Conde
I wasn't able to reproduce this under XP and Linux with a recent 5.0 pull
[1 Feb 2006 8:09] [ name withheld ]
Two questions:

1. What does "a recent 5.0 pull" mean? If it is fixed it's fixed from a version number so that users can rely on it

2. How can you pass to "can't repeat"? It has been verified, it must be closed by some kind of patch and not from some random change.