Bug #38285 REQUIRE X509, ISSUER or SUBJECT results in SSL connection error
Submitted: 22 Jul 2008 14:35 Modified: 11 Jan 2013 11:38
Reporter: Yuri   Email Updates:
Status: Won't fix Impact on me:
None 
Category:Connector / ODBC Severity:S3 (Non-critical)
Version:3.51 OS:Windows
Assigned to: Lawrenty Novitsky CPU Architecture:Any
Tags: SSL, X509

[22 Jul 2008 14:35] Yuri   
Description:
Although works with Connector/ODBC 5.1.x attempt to use valid certificates for user with REQUIRE X509, REQUIRE ISSUER or REQUIRE SUBJECT restrictions with Connector/ODBC 3.51.x leads to SSL connection error: Request returned with SQL_ERROR

How to repeat:
install certificates and restart the server:
[mysqld]
ssl-ca=C:/cacert.pem
ssl-cert=C:/server-cert.pem
ssl-key=C:/server-key.pem

net stop mysql & net start mysql

register anonymous user:
CREATE USER ''@'localhost';
GRANT USAGE ON *.* TO ''@'localhost' REQUIRE X509;

mysql --protocol=tcp --ssl-ca=C:/cacert.pem --ssl-cert=C:/client-cert.pem --ssl-key=C:/client-key.pem
should be allowed now

configure up ODBC:
[HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\3.51]
"Driver"="C:\\WINDOWS\\system32\\myodbc3.dll"
"SSLCA"="C:\\cacert.pem"
"SSLCERT"="C:\\client-cert.pem"
"SSLKEY"="C:\\client-key.pem"
[HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\5.1]
"Driver"="C:\\Program Files\\MySQL\\Connector ODBC 5.1\\myodbc5.dll"
"SSLKEY"="C:\\client-key.pem"
"SSLCERT"="C:\\client-cert.pem"
"SSLCA"="C:\\cacert.pem"

testing connection with MySQL Connector/ODBC:
               3.51.26 | 5.1.4
REQUIRE NONE   ok      | ok
REQUIRE SSL    ok      | ok
REQUIRE X509   failed  | ok
[23 Jul 2008 8:01] Tonci Grgin 
ODBC traces

Attachment: Bug38285traces.zip (application/zip, text), 1.29 KiB.
[23 Jul 2008 8:14] Tonci Grgin 
Hi Yuri and thanks for your report.

As a matter of fact we have two problems here (as seen in traces attached):
  - 3.51.26 replaces anonymous user with default one (ODBC@): DIAG [HY000] [MySQL][ODBC 3.51 Driver]Access denied for user 'ODBC'@'localhost' (using password: NO) (1045)
  - When user is given name, 3.51.26 fails to authenticate it using SSL (same trace as above but with proper UID instead of 'ODBC').

Varying "SSL Cipher" and "Verify SSL cert" makes no difference.

Registry entry with known UID:
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\351-on-5068-ssl]
"Driver"="C:\\WINDOWS\\system32\\myodbc3.dll"
"DATABASE"="test"
"DESCRIPTION"="3.51 with SSL on 5068"
"OPTION"="411063322"
"PORT"="5068"
"SERVER"="localhost"
"UID"="bug38285"
"SSLCA"="C:\\mysql-5.0.68-pb10-win32\\mysql-test\\std_data\\cacert.pem"
"SSLCAPATH"="C:\\mysql-5.0.68-pb10-win32\\mysql-test\\std_data"
"SSLCERT"="C:\\mysql-5.0.68-pb10-win32\\mysql-test\\std_data\\client-cert.pem"
"SSLKEY"="C:\\mysql-5.0.68-pb10-win32\\mysql-test\\std_data\\client-key.pem"
[9 Sep 2008 17:01] Tonci Grgin 
Yuri.

c/ODBC 5.1 is current GA and takes away focus from 3.51. Is there a way for you to use 5.1 instead of 3.51 as I think this will take considerable time to be fixed?
[11 Jan 2013 11:38] Hemant Dangi 
Issue not found with 5.2.3a.