MySQL Bugs: #44957: SSL certificate for openssl is inconsistent with test case

Bug #44957	SSL certificate for openssl is inconsistent with test case
Submitted:	19 May 2009 18:11
Reporter:	Joerg Bruehe	Email Updates:
Status:	Won't fix	Impact on me:	None
Category:	Tests: Server	Severity:	S3 (Non-critical)
Version:	5.0.74sp1	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	SSL certificate

Description:
This bug entry is just for reference (documentation) purposes,
no action will be taken (and none is needed).

In several test runs of 5.0.74sp1, the test "openssl_1" fails like this:

=====
openssl_1                      [ fail ]

mysqltest: At line NNN: query 'connect  con3,localhost,ssl_user3,,,,,SSL' failed: 1045: Access denied for user 'ssl_user3'@'localhost' (using password: NO)

The result from queries just before the failure was:
drop table if exists t1;
create table t1(f1 int);
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;

More results from queries before failure can be found in /PATH/mysql-test/var/log/openssl_1.log

Stopping All Servers
=====

This is caused by the condition "L=Uppsala" in the "grant" for user3,
which was valid with the test certificates we used previously.

When these expired (see bug#42366), the new ones did not have this part, and the tests were changed - so everything passed.
(See versions 5.0.78 and up.)

Now the 5.0.74sp1 build is based on 5.0.74 which used the old tests, just the new certificates were incorporated into the sources as a backport.
This causes the failure quoted above.

How to repeat:
Do a build and run the tests, using the sources of 5.0.74sp1.

Suggested fix:
To avoid re-creating the sources, I modified the test case and dropped the "L=Uppsala" part: Now the test matches the (new) certificate, and passes.

Note that we do yet know whether we will merge this fix back into the source tree.

This sounds more critical than it really is, because the current sources are consistent, the problem is only with 5.0.74sp1 which is based on the old test.