I cannot seem to get SSL connections working using the REQUIRE ISSUER or
REQUIRE SUBJECT clauses.
I have a mysql working with ssl. I can connect from the client host to
the server using ssl, where the user has been setup using:
GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY
'xxxxxx' REQUIRE X509;
and the connection from client is done by
mysql -h xxxxxxx -u xxxxxx -p --ssl-ca=/etc/mysql/ca-cert.pem
--ssl-key=/etc/mysql/client-key.pem --ssl-cert=/etc/mysql/client-cert.pem
However, the moment I try to restrict access to certs with specific
issuer or subject I cannot connect
GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY
'xxxxxx' REQUIRE ISSUER 'C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv,
CN=erba.tv/emailAddress=postmas...@erba.tv';
I have tried various permutations of specifying issuer string, i.e.
C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv,
CN=erba.tv/emailAddress=postmas...@erba.tv
C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, CN=erba.tv
C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv/emailAddress=postmas...@erba.tv
C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv
but none seem to work (after flushing privileges each time). The first
of these values is what is given by the command:
openssl x509 -in /etc/mysql/client-cert.pem -noout -text
The message I get is on trying to connect is:
ERROR 1045 (28000): Access denied for user 'xxxxxxxx'@'ipaddress' (using
password: YES)
The basics of ssl are obviously working, but for some reason the ISSUER
check is not working. How can I debug that futher?
John
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
