Bug #80195 CA cert not required for REQUIRE X509, SUBJECT, ISSUER
Submitted: 29 Jan 2016 5:28 Modified: 18 Feb 2016 18:40
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:5.7.10 OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[29 Jan 2016 5:28] Todd Farmer 
Description:
In the CREATE USER documentation discussing REQUIRE [X509|ISSUER|SUBJECT], the manual states that clients must supply --ssl-ca to connect successfully:

"To connect, the client must specify the --ssl-ca, --ssl-key, and --ssl-cert options. This is also true for ISSUER and SUBJECT because those REQUIRE options imply the requirements of X509."

http://dev.mysql.com/doc/refman/5.7/en/create-user.html

However, this is not true - only --ssl-key and --ssl-cert are required.  The client public cert (--ssl-cert argument to the client) is signed by a CA.  This same CA needs to be configured as a trusted CA on the server side (with --ssl-ca or --ssl-capath), but the CA public cert is not required on the client side.

Best practices dictate that --ssl-ca be specified on the client side, so that the public cert provided by the server can be validated properly, but it's not *required* as described in the manual.  Example:

D:\mysql-advanced-5.7.10-winx64>bin\mysql -utls1 -P3310 --ssl-cert=data\client-c
ert.pem --ssl-key=data\client-key.pem
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.7.10-enterprise-commercial-advanced MySQL Enterprise Server -
Advanced Edition (Commercial)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show create user current_user();
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------+
| CREATE USER for tls1@localhost

                            |
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------+
| CREATE USER 'tls1'@'localhost' IDENTIFIED WITH 'mysql_native_password' REQUIRE
 SUBJECT '/CN=MySQL_Server_5.7.10_Auto_Generated_Client_Certificate' PASSWORD EX
PIRE DEFAULT ACCOUNT UNLOCK |
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------+
1 row in set (0.00 sec)

How to repeat:
* Create an account specifying REQUIRE X509
* Connect using only --ssl-cert and --ssl-key options, no --ssl-ca option.
* Observe that connection is successful.

Suggested fix:
Modify documentation to clarify that --ssl-ca is recommended for client-side validation of server certificate, but not required for REQUIRE [X509 | ISSUER | SUBJECT] accounts.
[18 Feb 2016 18:40] Paul DuBois 
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly.