Bug #8777 MySQL 4.1.10 with OpenSSL 0.9.7e GRANT..REQUIRE..ISSUER..AND..SUBJECT problem
Submitted: 24 Feb 2005 12:32 Modified: 4 Jul 2007 10:20
Reporter: Paul Doctor Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.14 OS:Any (Any)
Assigned to: Sergei Glukhov CPU Architecture:Any

[24 Feb 2005 12:32] Paul Doctor
Description:
Hello, 

this statement is not working as expected in 4.1.10. with SSL: 

GRANT ALL PRIVILEGES ON test.* TO 'John Kerry'@'%' IDENTIFIED BY 'secretpass' 
REQUIRE SUBJECT '/C=GB/ST=EU/L=London/O=John Kerry/ 
/OU=John Kerry/CN=CA-CORP/emailAddress=john.kerry@ca-corp.com' 
AND ISSUER '/C=US/ST=NY/L=New York/O=CA-CORP/OU=CACORP/CN=CA-CORP/emailAddress=info@ca-corp.com' AND CIPHER 'EDH-RSA-DES-CBC3-SHA'; 

It works like OR statement nor AND - it means that any user with issued certificate by CA may connect to SSL server with any other clients certificates issued by this same CA authority. 

Statement worked this way only: 
GRANT ALL PRIVILEGES ON test.* TO 'John Kerry'@'%' IDENTIFIED BY 'secretpass' 
REQUIRE SUBJECT '/C=GB/ST=EU/L=London/O=John Kerry/ 
/OU=John Kerry/CN=CA-CORP/emailAddress=john.kerry@ca-corp.com'; 

or this way: 
GRANT ALL PRIVILEGES ON test.* TO 'John Kerry'@'%' IDENTIFIED BY 'secretpass' 
REQUIRE ISSUER '/C=US/ST=NY/L=New York/O=CA-CORP/OU=CACORP/CN=CA-CORP/emailAddress=info@ca-corp.com'; 

but unfortunately not with AND statement between REQUIRE. 

Any help, comments? 

Regards, Paul

How to repeat:
...above
[26 Jul 2005 2:15] Lachlan Mulcahy
Verified this bug. It appears that as long as the x509 ISSUER _or_ SUBJECT matches one of the REQUIREd criteria the user is allowed to connect. The CIPHER required is always enforced. (ie. it is ANDed).
[1 Dec 2005 6:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/32890
[4 Jul 2007 10:20] Sveta Smirnova
Bug is not repeatable with current sources.