Bug #17319 Allow to server SSL users via a different port
Submitted: 11 Feb 2006 8:35 Modified: 28 Mar 2011 19:23
Reporter: Ralf Hauser Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:any OS:Any (any)
Assigned to: CPU Architecture:Any
Triage: D5 (Feature request)

[11 Feb 2006 8:35] Ralf Hauser
Description:
The require SSL/x509/issuer/cipher options of GRANT as in http://dev.mysql.com/doc/refman/5.0/en/grant.html are great.

However, to prevent inadvertent password disclosure by misconfigured clients, I suggest to be able to serve SSL users on a different port that allows SSL only.

Therefore, they cannot even establish a non-SSL connection to convey their password when they are haunted by murphy.

Secondly, there is no risk that they log-in as non-SSL "internal" (to the firewall) users that are served on e.g. 3306 in parallel.

How to repeat:
just do the default SSL setup

Suggested fix:
This should go together with prevention of password guessing for the non X509 option as suggested in Bug #17318
[28 Mar 2011 19:23] Miguel Solorzano
Thank you for the bug report.
[5 Dec 2013 19:04] Sveta Smirnova
You can achieve same goal now if setup two different MySQL Proxy: one for SSL connections and another for regular ones, which will use same MySQL server.