Ok. I spent a fair amount of time debugging this.
Certs:
-- CA
$ openssl x509 -text -noout -in data/ca.pem | less
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Anywhere, L = MyCity, O = Percona, OU = TrainingDept, CN = MyCoolCA
Validity
Not Before: Aug 29 23:41:40 2022 GMT
Not After : Aug 26 23:41:40 2032 GMT
Subject: C = US, ST = Anywhere, L = MyCity, O = Percona, OU = TrainingDept, CN = MyCoolCA
-- Server
$ openssl x509 -text -noout -in data/server-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Anywhere, L = MyCity, O = Percona, OU = TrainingDept, CN = MyCoolCA
Validity
Not Before: Aug 29 23:44:58 2022 GMT
Not After : Aug 26 23:44:58 2032 GMT
Subject: C = US, ST = Anywhere, L = MyCity, O = Percona, OU = TrainingDept, CN = MyCoolServer
-- Client
$ openssl x509 -text -noout -in client.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Anywhere, L = MyCity, O = Percona, OU = TrainingDept, CN = MyCoolCA
Validity
Not Before: Aug 29 23:46:41 2022 GMT
Not After : Aug 26 23:46:41 2032 GMT
Subject: C = US, ST = Anywhere, L = MyCity, O = Percona, OU = TrainingDept, CN = MyCoolClient
NOTE: All three certs have different Common Names (CN). This is required by MySQL.
Testing:
-- New user, password auth
mysql [localhost:8035] {root} ((none)) > CREATE USER certy@'%' IDENTIFIED BY '12345';
Query OK, 0 rows affected (0.01 sec)
mysql [localhost:8035] {root} ((none)) > Bye
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 8.0.34-26 Percona Server (GPL), Release 26, Revision 0fe62c85
-- Change user to REQUIRE SSL
-- User presents the same CA in use by MySQL. This does not do deep SSL cert checking, only disallows non-encrypted connections
mysql [localhost:8035] {root} ((none)) > ALTER USER 'certy'@'%' REQUIRE SSL;
Query OK, 0 rows affected (0.01 sec)
-- No cert/CA presented
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345
ERROR 1045 (28000): Access denied for user 'certy'@'localhost' (using password: YES)
-- Present CA
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345 --ssl-ca=data/ca.pem
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 22
Server version: 8.0.34-26 Percona Server (GPL), Release 26, Revision 0fe62c85
-- Change user to require a valid certificate signed by server's CA, no deep SSL checks
mysql [localhost:8035] {root} ((none)) > ALTER USER 'certy'@'%' REQUIRE X509;
Query OK, 0 rows affected (0.00 sec)
-- No client cert is presented, only CA; connection rejected
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345 --ssl-ca=data/ca.pem
ERROR 1045 (28000): Access denied for user 'certy'@'localhost' (using password: YES)
-- No CA, only client cert
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345 --ssl-cert=client.pem --ssl-key=client.key
ERROR 1045 (28000): Access denied for user 'certy'@'localhost' (using password: YES)
-- Provide CA and client cert
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345 --ssl-ca=data/ca.pem --ssl-cert=client.pem --ssl-key=client.key
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 30
Server version: 8.0.34-26 Percona Server (GPL), Release 26, Revision 0fe62c85
-- Change user to require specific SSL issuer
mysql [localhost:8035] {root} ((none)) > ALTER USER 'certy'@'%' REQUIRE ISSUER '/C=US/ST=Anywhere/L=MyCity/O=Percona/OU=TrainingDept/CN=MyCoolCA';
Query OK, 0 rows affected (0.01 sec)
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345 --ssl-ca=data/ca.pem --ssl-cert=client.pem --ssl-key=client.key
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 8.0.34-26 Percona Server (GPL), Release 26, Revision 0fe62c85
-- Remove password
mysql [localhost:8035] {root} ((none)) > ALTER USER 'certy'@'%' IDENTIFIED BY '';
Query OK, 0 rows affected (0.01 sec)
-- Provide password
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty -p12345 --ssl-ca=data/ca.pem --ssl-cert=client.pem --ssl-key=client.key
ERROR 1045 (28000): Access denied for user 'certy'@'localhost' (using password: YES)
-- No password, SSL issuer verified
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty --ssl-ca=data/ca.pem --ssl-cert=client.pem --ssl-key=client.key
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version: 8.0.34-26 Percona Server (GPL), Release 26, Revision 0fe62c85
-- Remove issuer verification, add subject verification
mysql [localhost:8035] {root} ((none)) > ALTER USER 'certy'@'%' REQUIRE ISSUER '';
Query OK, 0 rows affected (0.01 sec)
mysql [localhost:8035] {root} ((none)) > ALTER USER 'certy'@'%' REQUIRE SUBJECT '/C=US/ST=Anywhere/L=MyCity/O=Percona/OU=TrainingDept/CN=MyCoolClient';
Query OK, 0 rows affected (0.00 sec)
~/dbdeployer/sandboxes/msb_ps8_0_34$ ./use -ucerty --ssl-ca=data/ca.pem --ssl-cert=client.pem --ssl-key=client.key
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 8.0.34-26 Percona Server (GPL), Release 26, Revision 0fe62c85