forums › forums › SQLyog › SQLyog: Bugs / Feature Requests › Feature Request: Ssl Settings For User
- This topic is empty.
-
AuthorPosts
-
-
October 30, 2014 at 5:30 pm #13272
Mitch
ParticipantPlease add the ability to manage the SSL requirements for a user in the user manager window.
-
October 31, 2014 at 12:01 pm #35078
peterlaursen
ParticipantIn MySQL SSL is specifed at connection leve and not (necessarly) at user level.
http://dev.mysql.com/doc/refman/5.6/en/grant.html
-
REQUIRE NONE indicates that the account has no SSL or X509 requirements. This is the default if no SSL-related REQUIRE options are specified. Unencrypted connections are permitted if the user name and password are valid. However, encrypted connections can also be used, at the client’s option, if the client has the proper certificate and key files. That is, the client need not specify any SSL command options, in which case the connection will be unencrypted. To use an encrypted connection, the client must specify either the –ssl-ca option, or all three of the –ssl-ca, –ssl-key, and –ssl-cert options.
.. in other words user created with REQUIRE SLL may still connect an unencrytped way
.. and the syntax description at http://dev.mysql.com/doc/refman/5.6/en/grant.html:
[REQUIRE {NONE | ssl_option [[AND] ssl_option] …}]
and
ssl_option:
SSL
| X509
| CIPHER ‘cipher‘
| ISSUER ‘issuer‘
| SUBJECT ‘subject‘
.. what means that a user may have more than one SSL option. Only when connecting you can specify which one to use for the actual connection (if any).
So you are right that the user manager is not fully omplete for the GRANT syntax in this respect. But it wll not remove the need for an SSL tab in the connection manager if we add it. When connecting it is still necesssary to specif the SSL details.
Do we agree?
-
-
October 31, 2014 at 12:29 pm #35079Participant
Let me add that it is a common (and dangerous) misunderstanding that a user with GRANTS with SSL option will automatically create an encrypted connection, when connecting. He will not (quote: “the client must specify either the –ssl-ca option, or all three of the –ssl-ca, –ssl-key, and –ssl-cert options”).
This is a problem that is re-invented at bugs.mysql.com almost every month. Somebody observes that a connection by a user with some SSL option -GRANTS is not encrypted and reports it as a bug. It is equally routinedly turned down as ‘not a bug’ with reference to the documentation detals, I pasted above.
-
November 3, 2014 at 5:06 pm #35080Participant
I agree and understand that in the User Manager, the SSL settings would apply to the user, not to the connection. Those would still be specified on the SSL tab of the connection dialog.
-
November 9, 2014 at 3:37 pm #35081Participant
@Mitch .. we have a problem here. it is not possble to specify SSL-options in a CREATE USER statement. Further we cannot take it for granted that server is not running with NO_AUTO_CREATE_USER sql_mode, and for same reason we cannot replace CREATE USER with GRANT USAGE.
I posted this bug report to MySQl: http://bugs.mysql.com/bug.php?id=74685, and as long as CREATE USER ..REQUIRE .. is not supported syntax, I don’t think we can support this.
-
November 10, 2014 at 10:15 am #35082Participant
I have added the request here: https://code.google.com/p/sqlyog/issues/detail?id=2062
-
-
AuthorPosts
- You must be logged in to reply to this topic.
