Description:
In the CREATE USER documentation discussing REQUIRE [X509|ISSUER|SUBJECT], the manual states that clients must supply --ssl-ca to connect successfully:
"To connect, the client must specify the --ssl-ca, --ssl-key, and --ssl-cert options. This is also true for ISSUER and SUBJECT because those REQUIRE options imply the requirements of X509."
http://dev.mysql.com/doc/refman/5.7/en/create-user.html
However, this is not true - only --ssl-key and --ssl-cert are required. The client public cert (--ssl-cert argument to the client) is signed by a CA. This same CA needs to be configured as a trusted CA on the server side (with --ssl-ca or --ssl-capath), but the CA public cert is not required on the client side.
Best practices dictate that --ssl-ca be specified on the client side, so that the public cert provided by the server can be validated properly, but it's not *required* as described in the manual. Example:
D:\mysql-advanced-5.7.10-winx64>bin\mysql -utls1 -P3310 --ssl-cert=data\client-c
ert.pem --ssl-key=data\client-key.pem
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.7.10-enterprise-commercial-advanced MySQL Enterprise Server -
Advanced Edition (Commercial)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show create user current_user();
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------+
| CREATE USER for tls1@localhost
|
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------+
| CREATE USER 'tls1'@'localhost' IDENTIFIED WITH 'mysql_native_password' REQUIRE
SUBJECT '/CN=MySQL_Server_5.7.10_Auto_Generated_Client_Certificate' PASSWORD EX
PIRE DEFAULT ACCOUNT UNLOCK |
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------+
1 row in set (0.00 sec)
How to repeat:
* Create an account specifying REQUIRE X509
* Connect using only --ssl-cert and --ssl-key options, no --ssl-ca option.
* Observe that connection is successful.
Suggested fix:
Modify documentation to clarify that --ssl-ca is recommended for client-side validation of server certificate, but not required for REQUIRE [X509 | ISSUER | SUBJECT] accounts.