diff --git a/mysql-test/r/ssl.result b/mysql-test/r/ssl.result
index 57427a228eb..a20e97b8284 100644
--- a/mysql-test/r/ssl.result
+++ b/mysql-test/r/ssl.result
@@ -2172,3 +2172,8 @@ NULL
 select 'still connected?';
 still connected?
 still connected?
+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+Variable_name	Value
+Ssl_cipher	EDH-RSA-DES-CBC3-SHA
+drop user mysqltest_1@localhost;
diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test
index 21733f7e594..88766e7cf39 100644
--- a/mysql-test/t/ssl.test
+++ b/mysql-test/t/ssl.test
@@ -34,5 +34,10 @@ select 'still connected?';
 connection default;
 disconnect ssl_con;
 
+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+--exec $MYSQL -umysqltest_1 --ssl-cipher=EDH-RSA-DES-CBC3-SHA -e "show status like 'ssl_cipher'" 2>&1
+drop user mysqltest_1@localhost;
+
 # Wait till all disconnects are completed
 --source include/wait_until_count_sessions.inc
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index d2ef9b4690d..06e38546f43 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -12199,6 +12199,9 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
         return 1;
       }
     }
+    if (!acl_user->x509_issuer && !acl_user->x509_subject)
+      return 0; // all done
+
     /* Prepare certificate (if exists) */
     if (!(cert= SSL_get_peer_certificate(ssl)))
       return 1;