John Fawcett syntax for strings in REQUIRE ISSUER / REQUIRE SUBJECT
Mar 19, 2011; 14:42
John Fawcett
syntax for strings in REQUIRE ISSUER / REQUIRE SUBJECT
I cannot seem to get SSL connections working using the REQUIRE ISSUER or REQUIRE SUBJECT clauses.
I have a mysql working with ssl. I can connect from the client host to the server using ssl, where the user has been setup using:
GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY 'xxxxxx' REQUIRE X509;
and the connection from client is done by
mysql -h xxxxxxx -u xxxxxx -p --ssl-ca=/etc/mysql/ca-cert.pem --ssl-key=/etc/mysql/client-key.pem --ssl-cert=/etc/mysql/client-cert.pem
However, the moment I try to restrict access to certs with specific issuer or subject I cannot connect
GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY 'xxxxxx' REQUIRE ISSUER 'C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, CN=erba.tv/emailAddress=postmaster@erba.tv';
I have tried various permutations of specifying issuer string, i.e. C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, CN=erba.tv/emailAddress=postmaster@erba.tv C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, CN=erba.tv C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv/emailAddress=postmaster@erba.tv C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv
but none seem to work (after flushing privileges each time). The first of these values is what is given by the command:
The message I get is on trying to connect is: ERROR 1045 (28000): Access denied for user 'xxxxxxxx'@'ipaddress' (using password: YES)
The basics of ssl are obviously working, but for some reason the ISSUER check is not working. How can I debug that futher?
John
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=listsearcharchive@lassosoft.com
Search
Lasso Programming
This site manages and broadcasts several email lists pertaining to Lasso Programming and technologies related and used by Lasso developers. Sign up today!