Bug #86061 REQUIRE CIPHER doesn't work as documented
Submitted: 24 Apr 2017 21:42 Modified: 3 May 2017 9:22
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.7.18 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, tls

[24 Apr 2017 21:42] Daniël van Eeden
Description:
https://dev.mysql.com/doc/refman/5.7/en/create-user.html says:
"Requests a specific cipher method for encrypting connections. This option is needed to ensure that ciphers and key lengths of sufficient strength are used. SSL itself can be weak if old algorithms using short encryption keys are used."

But require cipher implicitly also requires x509, which is not desired and not documented.

How to repeat:
Try to use cipher requirements w/o using client certificates.

Suggested fix:
Don't require a client certificate if require cipher is used. Combine require cipher with require x509 if you want this.

If this is not possible: then document that require cipher will also require a client certificate.
[3 May 2017 9:22] MySQL Verification Team
Hello Daniël,

Thank you for the report and feedback.
Verifying based on internal discussion.

Thanks,
Umesh