Bug #215 mysqld should be more verbose at x509 ACL errors
Submitted: 31 Mar 2003 12:58 Modified: 25 Apr 2003 8:42
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.0.12 OS:Linux (Debian GNU/Linux)
Assigned to: Sergei Glukhov CPU Architecture:Any

[31 Mar 2003 12:58] Christian Hammers
Description:
MySQL should be a little more verbose when for what reasons a use is rejected.
In former days with only host and password it was quite easy to debug but when it gets to max_connections, X509 issuer/subject/cipher etc. more verbosity would be good although this verbosity should not be reported to the client for secuirty reasons.
I made a patch that prints warnings into the error logfiles. The programmers will have their own opinions which function and logfile should be used for this but this at least gives them a hint which lines to edit.
Also this should not be an too easy way for flooding a servers logfile :-)
(I still vote for syslog...)

How to repeat:
Try to login with a wrong cert. As you can see, you can see not much :-)

Suggested fix:
--- mysql-dfsg-4.0.12/sql/sql_acl.cc    2003-03-15 16:47:57.000000000 +0100
+++ t/mysql-dfsg-4.0.12/sql/sql_acl.cc  2003-03-31 22:27:36.000000000 +0200
@@ -561,6 +563,7 @@
                user_access=acl_user->access;
              else
              {
+               sql_print_error("X509 ciphers mismatch: should be |%s| but is |%s|", acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_));
                user_access=NO_ACCESS;
                break;
              }
@@ -578,6 +582,7 @@
                                 acl_user->x509_issuer, ptr));
              if (strcmp(acl_user->x509_issuer, ptr))
              {
+               sql_print_error("X509 issuer mismatch: should be |%s| but is |%s|", acl_user->x509_issuer, ptr);
                user_access=NO_ACCESS;
                free(ptr);
                break;
@@ -586,16 +591,19 @@
              free(ptr);
            }
            DBUG_PRINT("info",("checkpoint 4"));
            /* X509 subject is specified, we check it .. */
            if (acl_user->x509_subject)
            {
              char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
              DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
                                 acl_user->x509_subject, ptr));
-             if (strcmp(acl_user->x509_subject,ptr))
+             if (strcmp(acl_user->x509_subject,ptr)) {
+               sql_print_error("X509 subject mismatch: |%s| vs |%s|", acl_user->x509_subject, ptr);
                user_access=NO_ACCESS;
-             else
+             } else {
                user_access=acl_user->access;
+             }
              free(ptr);
            }
            break;
[17 Apr 2003 5:31] Sergei Glukhov
This bug alredy closed by Monty (2003-04-15)