Bug #71313 Failed authentication should list if SSL/TLS is used.
Submitted: 7 Jan 2014 20:49 Modified: 28 Jan 2014 18:52
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S3 (Non-critical)
Version:5.6.14 OS:Any
Assigned to: CPU Architecture:Any
Triage: Needs Triage: D5 (Feature request)

[7 Jan 2014 20:49] Daniël van Eeden
Description:
When REQUIRE SSL/X509/etc is specified but the username and password are correct the server may return access denied if the wrong or no ssl client opties are supplied.

It is not possible to differentiate between a wrong ssl setting and a wrong password.

How to repeat:
Try to login with wrong ssl setting and then with a wrong password. Check the messages which are logged. log_warnings must be set to 2 for this to work.

2014-01-07 21:28:17 6719 [Warning] Access denied for user 'ssltest'@'localhost' (using password: YES)

Suggested fix:
Add "using ssl" to the log message:
2014-01-07 21:28:17 6719 [Warning] Access denied for user 'ssltest'@'localhost' (using password: YES, using ssl: Yes)

Or add a separate message:
2014-01-07 21:28:17 6718 [Warning] Failed to verify SSL client certificate for user 'ssltest'@'localhost' (issuer: My_First_CA, subject: MyUser)
2014-01-07 21:28:17 6719 [Warning] Access denied for user 'ssltest'@'localhost' (using password: YES)
[28 Jan 2014 18:52] Sveta Smirnova
Thank you for the report.

Verified as described. I think we don't need to add more information about the failure, but having (using password: YES, using ssl: Yes) can be useful.