[#MDEV-10054] Secure login fails when CIPHER is required.

[MDEV-10054] Secure login fails when CIPHER is required. Created: 2016-05-11 Updated: 2016-06-28 Resolved: 2016-06-28
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System, SSL
Affects Version/s:	10.1.14
Fix Version/s:	10.1.15

Type:

Bug

Priority:

Major

Reporter:

Georg Richter

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

patch

Environment:

All

Attachments:

sql_acl.patch

Description

If a user account has been created with REQUIRE CIPHER option, the user can't login unless he sends it's client certificate to the server (which should be only mandatory for additional X509 checks like issuer or subject.

How to repeat:

grant select on test.* to ssl_user1@localhost require SSL;

grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";

flush privileges;

mysql -ussl_user1 -h127.0.0.1 --ssl-cipher=DHE-RSA-AES256-SHA -e"SHOW session status LIKE 'ssl_cipher'";

+---------------+-----------------------+

| Variable_name | Value                 |

+---------------+-----------------------+

| Ssl_cipher    | DHE-RSA-AES256-SHA256 |

+---------------+-----------------------+

mysql -ussl_user2 -h127.0.0.1 --ssl-cipher=DHE-RSA-AES256-SHA -e"SHOW session status LIKE 'ssl_cipher'";

ERROR 1045 (28000): Access denied for user 'ssl_user2'@'localhost' (using password: NO)

Fix attached

Generated at Thu Feb 08 07:39:19 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-10054] Secure login fails when CIPHER is required. Created: 2016-05-11 Updated: 2016-06-28 Resolved: 2016-06-28