Bug #20900 Client certificate authentication: warn about SUBJECT and ISSUER variants
Submitted: 7 Jul 2006 11:46 Modified: 10 Aug 2006 18:24
Reporter: Ralf Hauser Email Updates:
Status: No Feedback Impact on me:
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.0.19 OS:Linux (Fedora)
Assigned to: CPU Architecture:Any

[7 Jul 2006 11:46] Ralf Hauser
When using the script as per http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html , the recent openssl on fedora doesn't produce the same syntax as documented 

the sample in http://dev.mysql.com/doc/refman/5.0/en/grant.html says 

  ISSUER '/C=FI/ST=Some-State/L=Helsinki/
    O=MySQL Finland AB/CN=Tonu Samuel/Email=tonu@example.com';

while in client-cert.pem I produce, I see

not sure that this is why I still get the unspecific error as eported in Bug #20899, but it certainly could be a reason.

How to repeat:
use openssl on fedora

Suggested fix:
mention in refman, provide better error message (Bug #20899) that possibly even cites the issuer found in the certificate presented by the client as seen by the server...
[8 Jul 2006 10:18] Valeriy Kravchuk
Thank you for a problem report. What exact OpenSSL version do you use?
[9 Jul 2006 8:42] Ralf Hauser
OpenSSL 0.9.7a Feb 19 2003

Redhat workstation
on Linux 2.6.9-34.0.1.EL #1 Wed May 17 16:44:57 EDT 2006 i686 i686 i386 GNU/Linux

as said, it is the same with fedora.
[10 Jul 2006 18:24] Valeriy Kravchuk
Can you, please, try to repeat with MySQL 4.0.27 and OpenSSL 0.9.8b (or OpenSSL 0.9.7j), and inform about the results? The versions you used are old.
[11 Jul 2006 9:27] Cedric Wider
I am using openssl 0.9.7j on my gentoo 2.6.14 and mysql version 4.1.20.
If the version of openssl and mysql is so important it would be nice to have a note in the documentation too.

The emailAddress string in the generated certificate still isn't the same as the one in the documentation.

Grant the privileges using the following ISSUER string works
REQUIRE ISSUER '/C=CH/ST=ZH/L=Zurich/O=Acme Corp./OU=R n D/CN=Cedric Wider/emailAddress=foo@bar.com';

And this one (same as in the documentation) doesn't work
REQUIRE ISSUER '/C=CH/ST=ZH/L=Zurich/O=Acme Corp./OU=R n D/CN=Cedric Wider/Email=foo@bar.com';
[10 Aug 2006 23:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".