Hi I have exhausted my resources in this matter and now need some guidance. I am trying to set up a MySQL 4.1.14 (Linux 2.6.9-22.0.1.EL #1 i686 athlon i386 GNU/Linux CentOS 4) server with certificate (x509) based login. Following the steps at the MySQL web page (http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html) about creating CA, server certs, and client certs I have the server, compiled with SSL-support, up and running without any complaints in the server log.
However, it seems that the server doesn't support user authentication based on subject and issuer in the certificates when I use the mysql client. What happends is that the server denies access for certificates signed by the wrong CA or if the cipher list of the client doesn't match the one specified in the ssl_cipher-column of the user table. So far so good, but if I grant a user with phony x509_subject or x509_issuer all I get is a "issuer mismatch" or "subject mismatch" in the mysqld server log and I am allowed access to the server. I would like the server to deny users access if their subject or issuer strings in their cert doesn't match what I have specified in the mysql user table. Issuer (the one who actually signed the cert) seems to be validated by the server CA certificate since login using a certificate signed by the wrong CA is denied but still ... Is this behaviour by the server correct? Is it possible to validate users by their subject and issuer values from their certificates. -------=======User table==========----------- Host: % User: ssl_test Password: Select_priv: N Insert_priv: N Update_priv: N Delete_priv: N Create_priv: N Drop_priv: N Reload_priv: N Shutdown_priv: N Process_priv: N File_priv: N Grant_priv: N References_priv: N Index_priv: N Alter_priv: N Show_db_priv: N Super_priv: N Create_tmp_table_priv: N Lock_tables_priv: N Execute_priv: N Repl_slave_priv: N Repl_client_priv: N ssl_type: SPECIFIED ssl_cipher: DHE-RSA-AES256-SHA x509_issuer: /C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL admin x509_subject: /C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL user max_questions: 0 max_updates: 0 max_connections: 0 ---------=======Error log========--------------- 051130 15:05:42 [Note] X509 issuer mismatch: should be '/C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL admin' but is '/C=SE/ST=State/L=City/O=FOO/OU=BAR/CN=MySQL user' - Patrik -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]