Bug #59378 | Incorrect examples for GRANT ... REQUIRE ISSUER/SUBJECT with e-mail RDN | ||
---|---|---|---|
Submitted: | 9 Jan 2011 13:01 | Modified: | 1 Jun 2011 14:15 |
Reporter: | Dave Kelly | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Documentation | Severity: | S3 (Non-critical) |
Version: | 5.5.8 GA | OS: | Any |
Assigned to: | Paul DuBois | CPU Architecture: | Any |
Tags: | email, emailAddress, grant, grant require, issuer, RDN, subject |
[9 Jan 2011 13:01]
Dave Kelly
[2 May 2011 16:57]
Georgi Kodinov
Dave, You're correct that the documentation should be changed. But it's not because it's incorrect. The examples used to work up until OpenSSL 0.9.6h when the short name for emailAddress changed from Email to emailAddress (and I presume they still do if you link MySQL with a OpenSSL version like this). The X509 standard is very vague on what are the parts of a Distinguished Name. It just says that it must be formated in a certain way and it must unique. That uniqueness is left to the infrastructure to assure. The server probably does nothing more than just a string comparison. Thus your only safe bet that you have a valid DN that you can compare to is to parse a X509 certificate, get its subject string and use that in the GRANT statement. Now OpenSSL is a de-facto standard in how one formats such DNs. In its recent versions it formats the email OID as emailAddress. Thus the documentation should be updated. HTH.
[1 Jun 2011 14:15]
Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products. Added to REQUIRE ISSUER description: If MySQL is linked against a version of OpenSSL older than 0.9.6h, use Email rather than emailAddress in the 'issuer' value. And similar for REQUIRE SUBJECT.