Description:
MySQL should be a little more verbose when for what reasons a use is rejected.
In former days with only host and password it was quite easy to debug but when it gets to max_connections, X509 issuer/subject/cipher etc. more verbosity would be good although this verbosity should not be reported to the client for secuirty reasons.
I made a patch that prints warnings into the error logfiles. The programmers will have their own opinions which function and logfile should be used for this but this at least gives them a hint which lines to edit.
Also this should not be an too easy way for flooding a servers logfile :-)
(I still vote for syslog...)
How to repeat:
Try to login with a wrong cert. As you can see, you can see not much :-)
Suggested fix:
--- mysql-dfsg-4.0.12/sql/sql_acl.cc 2003-03-15 16:47:57.000000000 +0100
+++ t/mysql-dfsg-4.0.12/sql/sql_acl.cc 2003-03-31 22:27:36.000000000 +0200
@@ -561,6 +563,7 @@
user_access=acl_user->access;
else
{
+ sql_print_error("X509 ciphers mismatch: should be |%s| but is |%s|", acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_));
user_access=NO_ACCESS;
break;
}
@@ -578,6 +582,7 @@
acl_user->x509_issuer, ptr));
if (strcmp(acl_user->x509_issuer, ptr))
{
+ sql_print_error("X509 issuer mismatch: should be |%s| but is |%s|", acl_user->x509_issuer, ptr);
user_access=NO_ACCESS;
free(ptr);
break;
@@ -586,16 +591,19 @@
free(ptr);
}
DBUG_PRINT("info",("checkpoint 4"));
/* X509 subject is specified, we check it .. */
if (acl_user->x509_subject)
{
char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
acl_user->x509_subject, ptr));
- if (strcmp(acl_user->x509_subject,ptr))
+ if (strcmp(acl_user->x509_subject,ptr)) {
+ sql_print_error("X509 subject mismatch: |%s| vs |%s|", acl_user->x509_subject, ptr);
user_access=NO_ACCESS;
- else
+ } else {
user_access=acl_user->access;
+ }
free(ptr);
}
break;
Description: MySQL should be a little more verbose when for what reasons a use is rejected. In former days with only host and password it was quite easy to debug but when it gets to max_connections, X509 issuer/subject/cipher etc. more verbosity would be good although this verbosity should not be reported to the client for secuirty reasons. I made a patch that prints warnings into the error logfiles. The programmers will have their own opinions which function and logfile should be used for this but this at least gives them a hint which lines to edit. Also this should not be an too easy way for flooding a servers logfile :-) (I still vote for syslog...) How to repeat: Try to login with a wrong cert. As you can see, you can see not much :-) Suggested fix: --- mysql-dfsg-4.0.12/sql/sql_acl.cc 2003-03-15 16:47:57.000000000 +0100 +++ t/mysql-dfsg-4.0.12/sql/sql_acl.cc 2003-03-31 22:27:36.000000000 +0200 @@ -561,6 +563,7 @@ user_access=acl_user->access; else { + sql_print_error("X509 ciphers mismatch: should be |%s| but is |%s|", acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)); user_access=NO_ACCESS; break; } @@ -578,6 +582,7 @@ acl_user->x509_issuer, ptr)); if (strcmp(acl_user->x509_issuer, ptr)) { + sql_print_error("X509 issuer mismatch: should be |%s| but is |%s|", acl_user->x509_issuer, ptr); user_access=NO_ACCESS; free(ptr); break; @@ -586,16 +591,19 @@ free(ptr); } DBUG_PRINT("info",("checkpoint 4")); /* X509 subject is specified, we check it .. */ if (acl_user->x509_subject) { char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); DBUG_PRINT("info",("comparing subjects: '%s' and '%s'", acl_user->x509_subject, ptr)); - if (strcmp(acl_user->x509_subject,ptr)) + if (strcmp(acl_user->x509_subject,ptr)) { + sql_print_error("X509 subject mismatch: |%s| vs |%s|", acl_user->x509_subject, ptr); user_access=NO_ACCESS; - else + } else { user_access=acl_user->access; + } free(ptr); } break;