MDEV-10054 Secure login fails when CIPHER is required

SSL: do not require client certificate to exist, if GRANT didn't require that
2025-08-07 00:04:31 +03:00 · 2016-06-28 15:38:41 +02:00
parent 8354c0c4d6
commit 341e5f4411
3 changed files with 13 additions and 0 deletions
--- a/mysql-test/r/ssl.result
+++ b/mysql-test/r/ssl.result
@@ -2172,3 +2172,8 @@ NULL
 select 'still connected?';
 still connected?
 still connected?
+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+Variable_name	Value
+Ssl_cipher	EDH-RSA-DES-CBC3-SHA
+drop user mysqltest_1@localhost;
--- a/mysql-test/t/ssl.test
+++ b/mysql-test/t/ssl.test
@@ -34,5 +34,10 @@ select 'still connected?';
 connection default;
 disconnect ssl_con;

+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+--exec $MYSQL -umysqltest_1 --ssl-cipher=EDH-RSA-DES-CBC3-SHA -e "show status like 'ssl_cipher'" 2>&1
+drop user mysqltest_1@localhost;
+
 # Wait till all disconnects are completed
 --source include/wait_until_count_sessions.inc
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -12199,6 +12199,9 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
        return 1;
      }
    }
+    if (!acl_user->x509_issuer && !acl_user->x509_subject)
+      return 0; // all done
+
    /* Prepare certificate (if exists) */
    if (!(cert= SSL_get_peer_certificate(ssl)))
      return 1;