syntax for strings in REQUIRE ISSUER / REQUIRE SUBJECT

I cannot seem to get SSL connections working using the REQUIRE ISSUER or
REQUIRE SUBJECT clauses.

I have a mysql working with ssl. I can connect from the client host to
the server using ssl, where the user has been setup using:

GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY
'xxxxxx' REQUIRE X509;

and the connection from client is done by

mysql -h xxxxxxx -u xxxxxx -p --ssl-ca=/etc/mysql/ca-cert.pem
--ssl-key=/etc/mysql/client-key.pem --ssl-cert=/etc/mysql/client-cert.pem

However, the moment I try to restrict access to certs with specific
issuer or subject I cannot connect

GRANT ALL PRIVILEGES ON xxxxx.* TO 'xxxx'@'ipaddress' IDENTIFIED BY
'xxxxxx' REQUIRE ISSUER 'C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv,
CN=erba.tv/emailAddress=postmaster@erba.tv';

I have tried various permutations of specifying issuer string, i.e.
C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv,
CN=erba.tv/emailAddress=postmaster@erba.tv
C=IT, ST=Como, L=Erba, O=erba.tv, OU=erba.tv, CN=erba.tv
C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv/emailAdd ress=postmaster@erba.tv
C=IT/ST=Como/L=Erba/O=erba.tv/OU=erba.tv/CN=erba.tv

but none seem to work (after flushing privileges each time). The first
of these values is what is given by the command:

openssl x509 -in /etc/mysql/client-cert.pem -noout -text

The message I get is on trying to connect is:
ERROR 1045 (28000): Access denied for user 'xxxxxxxx'@'ipaddress' (using
password: YES)

The basics of ssl are obviously working, but for some reason the ISSUER
check is not working. How can I debug that futher?

John



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org