Unsupported Screen Size: The viewport size is too small for the theme to render properly.

Feature Request: Ssl Settings For User

forums forums SQLyog SQLyog: Bugs / Feature Requests Feature Request: Ssl Settings For User

  • This topic is empty.
Viewing 5 reply threads
  • Author
    Posts
    • #13272
      Mitch
      Participant

      Please add the ability to manage the SSL requirements for a user in the user manager window.

    • #35078
      peterlaursen
      Participant

      In MySQL SSL is specifed at connection leve and not (necessarly) at user level.

       

      http://dev.mysql.com/doc/refman/5.6/en/grant.html

       

      • REQUIRE NONE indicates that the account has no SSL or X509 requirements. This is the default if no SSL-related REQUIRE options are specified. Unencrypted connections are permitted if the user name and password are valid. However, encrypted connections can also be used, at the client’s option, if the client has the proper certificate and key files. That is, the client need not specify any SSL command options, in which case the connection will be unencrypted. To use an encrypted connection, the client must specify either the –ssl-ca option, or all three of the –ssl-ca–ssl-key, and –ssl-cert options.

      .. in other words  user created with REQUIRE SLL may still connect an unencrytped way

       

      .. and the syntax description at http://dev.mysql.com/doc/refman/5.6/en/grant.html:

       

      [REQUIRE {NONE | ssl_option [[AND] ssl_option] …}]

      and 

      ssl_option:

      SSL

      | X509

      | CIPHER ‘cipher

      | ISSUER ‘issuer

      | SUBJECT ‘subject

      .. what means that a user may have more than one SSL option.  Only when connecting you can specify which one to use for the actual connection (if any).

       

      So you are right that the user manager is not fully omplete for the GRANT syntax in this respect. But it wll not remove the need for an SSL tab in the connection manager if we add it. When connecting it is still necesssary to specif the SSL details.

       

      Do we agree?

    • #35079
      peterlaursen
      Participant

      Let me add that it is a common (and dangerous) misunderstanding that a user with GRANTS with SSL option will automatically create an encrypted connection, when connecting. He will not (quote: “the client must specify either the –ssl-ca option, or all three of the –ssl-ca–ssl-key, and –ssl-cert options”)

       

      This is a problem that is re-invented at bugs.mysql.com almost every month.  Somebody observes that a connection by a user with some SSL option -GRANTS is not encrypted and reports it as a bug. It is equally routinedly turned down as ‘not a bug’ with reference to the documentation detals, I pasted above.

    • #35080
      Mitch
      Participant

      I agree and understand that in the User Manager, the SSL settings would apply to the user, not to the connection.  Those would still be specified on the SSL tab of the connection dialog.

    • #35081
      peterlaursen
      Participant

      @Mitch .. we have a problem here. it is not possble to specify SSL-options in a CREATE USER statement. Further we cannot take it for granted that server is not running with NO_AUTO_CREATE_USER sql_mode, and for same reason we cannot replace CREATE USER with GRANT USAGE.

       

      I posted this bug report to MySQl: http://bugs.mysql.com/bug.php?id=74685, and as long as CREATE USER ..REQUIRE .. is not supported syntax, I don’t think we can support this.

    • #35082
      peterlaursen
      Participant
Viewing 5 reply threads
  • You must be logged in to reply to this topic.