Login using certificate

Wed, 30 Nov 2005 07:47:42 -0800 

Hi

I have exhausted my resources in this matter and now need some guidance.
I am trying to set up a MySQL 4.1.14 (Linux 2.6.9-22.0.1.EL #1 i686
athlon i386 GNU/Linux CentOS 4) server with certificate (x509) based
login. Following the steps at the MySQL web page
(http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html) about
creating CA, server certs, and client certs I have the server, compiled
with SSL-support, up and running without any complaints in the server
log.

However, it seems that the server doesn't support user authentication
based on subject and issuer in the certificates when I use the mysql
client. What happends is that the server denies access for certificates
signed by the wrong CA or if the cipher list of the client doesn't match
the one specified in the ssl_cipher-column of the user table. 

So far so good, but if I grant a user with phony x509_subject or
x509_issuer all I get is a "issuer mismatch" or "subject mismatch" in
the mysqld server log and I am allowed access to the server. I would
like the server to deny users access if their subject or issuer strings
in their cert doesn't match what I have specified in the mysql user
table. 

Issuer (the one who actually signed the cert) seems to be validated by
the server CA certificate since login using a certificate signed by the
wrong CA is denied but still ...

Is this behaviour by the server correct? Is it possible to validate
users by their subject and issuer values from their certificates. 

-------=======User table==========-----------
                 Host: %
                 User: ssl_test
             Password:
          Select_priv: N
          Insert_priv: N
          Update_priv: N
          Delete_priv: N
          Create_priv: N
            Drop_priv: N
          Reload_priv: N
        Shutdown_priv: N
         Process_priv: N
            File_priv: N
           Grant_priv: N
      References_priv: N
           Index_priv: N
           Alter_priv: N
         Show_db_priv: N
           Super_priv: N
Create_tmp_table_priv: N
     Lock_tables_priv: N
         Execute_priv: N
      Repl_slave_priv: N
     Repl_client_priv: N
             ssl_type: SPECIFIED
           ssl_cipher: DHE-RSA-AES256-SHA
          x509_issuer: /C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL admin
         x509_subject: /C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL user
        max_questions: 0
          max_updates: 0
      max_connections: 0

---------=======Error log========---------------
051130 15:05:42 [Note] X509 issuer mismatch: should be
'/C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL admin' but is
'/C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL user'

        - Patrik



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]

Reply via email to