List:General Discussion« Previous MessageNext Message »
From:John Fawcett Date:March 19 2011 1:42pm
Subject:syntax for strings in REQUIRE ISSUER / REQUIRE SUBJECT
View as plain text  
I cannot seem to get SSL connections working using the REQUIRE ISSUER or 
REQUIRE SUBJECT clauses.

I have a mysql working with ssl. I can connect from the client host to 
the server using ssl, where the user has been setup using:

GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY 
'xxxxxx'   REQUIRE X509;

and the connection from client is done by

mysql -h xxxxxxx -u xxxxxx -p --ssl-ca=/etc/mysql/ca-cert.pem 
--ssl-key=/etc/mysql/client-key.pem --ssl-cert=/etc/mysql/client-cert.pem

However, the moment I try to restrict access to certs with specific 
issuer or subject I cannot connect

GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY 
'xxxxxx' REQUIRE ISSUER 'C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, 
CN=erba.tv/emailAddress=postmaster@stripped';

I have tried various permutations of specifying issuer string, i.e.
C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, 
CN=erba.tv/emailAddress=postmaster@stripped
C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, CN=erba.tv
C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv/emailAddress=postmaster@stripped
C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv

but none seem to work (after flushing privileges each time). The first 
of these values is what is given by the command:

openssl x509 -in /etc/mysql/client-cert.pem -noout -text

The message I get is on trying to connect is:
ERROR 1045 (28000): Access denied for user 'xxxxxxxx'@'ipaddress' (using 
password: YES)

The basics of ssl are obviously working, but for some reason the ISSUER 
check is not working. How can I debug that futher?

John


Thread
syntax for strings in REQUIRE ISSUER / REQUIRE SUBJECTJohn Fawcett19 Mar