After two days of fiddeling around I solved most of my needs - in particular I solved the situation described above.

Concerning the original question the user name and the CN are not linked in any way. If you require a certain user certificate this is forced by REQUIRE SUBJECT. Therefore, if your PKI is correct, your sample case shold work.

I'd guess that since X509 is SSL related, you could run into trouble, if you have a full match policy defined, but the CN does not match the client's name. Try to use your certificates to setup a mutual SSL connection, e.g. using the openssl test client.

Getting the following access rule running was sometimes tedious, but after all straight forward:

GRANT ALL ON test.* TO 'test'@'%' REQUIRE SUBJECT '/C=DE/.../CN=test' AND CIPHER 'EDH-RSA-DES-CBC3-SHA';

Note that the user certificate for test reads a DN=.../CN=test/emailAddress=test@my.system. The emailAddress tag must not appear in the REQUIREd SUBJECT.

Actually, enforcing the encryption was the most troublesome. I finally hunted it down in syslog

Nov 13 21:44:47 test mysqld[1236]: 071113 21:44:47 [Note] X509 ciphers mismatch: should be 'EDH-RSA-DES-CBC3-SHA' but is 'DHE-RSA-AES256-SHA'

so I changed my required cipher to the stronger one offered by the client

GRANT ALL ON test.* TO 'test'@'%' REQUIRE SUBJECT '/C=DE/.../CN=test' AND CIPHER 'DHE-RSA-AES256-SHA';

and I can connect:

mysql --ssl-ca cacert.pem --ssl-cert test.cert.pem --ssl-key test.pem -u carpora -h mysql.mgr -p -- test

I'm still struggeling with some remaining issues:

1) I do not want to provide a password. I present a certificate and that shall be it.

2) AES256 is definitely good, but I want to also allow clients, which use AES128, 3DES or anything similar. My idea was something like 'MEDIUM:HIGH'. But although this combination includes the offer from the client, it is rejected.

3) I want to restrict the user to a certain netmask, e.g. 172.16.0.0\21 instead of a hostname domain.

All hints for solving these issues are appreciated.