dolthub · fulghum · Nov 10, 2025 · Nov 5, 2025 · Nov 7, 2025 · Nov 10, 2025
diff --git a/enginetest/queries/priv_auth_queries.go b/enginetest/queries/priv_auth_queries.go
@@ -22,6 +22,7 @@ import (
 
 	sqle "github.com/dolthub/go-mysql-server"
 	"github.com/dolthub/go-mysql-server/sql"
+	"github.com/dolthub/go-mysql-server/sql/encodings"
 	"github.com/dolthub/go-mysql-server/sql/mysql_db"
 	"github.com/dolthub/go-mysql-server/sql/plan"
 	"github.com/dolthub/go-mysql-server/sql/types"
@@ -772,6 +773,48 @@ var UserPrivTests = []UserPrivilegeTest{
 			},
 		},
 	},
+	{
+		Name: "User creation with SSL/TLS requirements",
+		SetUpScript: []string{
+			"CREATE USER testuser1@`127.0.0.1` REQUIRE NONE;",
+			"CREATE USER testuser2@`127.0.0.1` REQUIRE SSL;",
+			"CREATE USER testuser3@`127.0.0.1` REQUIRE X509;",
+			"CREATE USER testuser4@`127.0.0.1` IDENTIFIED WITH caching_sha2_password by 'pass1' REQUIRE X509;",
+			"CREATE USER testuser5@`127.0.0.1` REQUIRE SUBJECT 'cert_subject';",
+			"CREATE USER testuser6@`127.0.0.1` REQUIRE ISSUER 'cert_issuer';",
+			"CREATE USER testuser7@`127.0.0.1` REQUIRE CIPHER 'cipher';",
+		},
+		Assertions: []UserPrivilegeTestAssertion{
+			{
+				Query:    "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser1';",
+				Expected: []sql.Row{{"testuser1", "", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
+			},
+			{
+				Query:    "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject from mysql.user where user='testuser2';",
+				Expected: []sql.Row{{"testuser2", "ANY", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
+			},
+			{
+				Query:    "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject  from mysql.user where user='testuser3';",
+				Expected: []sql.Row{{"testuser3", "X509", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
+			},
+			{
+				Query:    "select user, plugin, ssl_type, ssl_cipher, x509_issuer, x509_subject  from mysql.user where user='testuser4';",
+				Expected: []sql.Row{{"testuser4", "caching_sha2_password", "X509", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("")}},
+			},
+			{
+				Query:    "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject  from mysql.user where user='testuser5';",
+				Expected: []sql.Row{{"testuser5", "SPECIFIED", encodings.StringToBytes(""), encodings.StringToBytes(""), encodings.StringToBytes("cert_subject")}},
+			},
+			{
+				Query:    "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject  from mysql.user where user='testuser6';",
+				Expected: []sql.Row{{"testuser6", "SPECIFIED", encodings.StringToBytes(""), encodings.StringToBytes("cert_issuer"), encodings.StringToBytes("")}},
+			},
+			{
+				Query:    "select user, ssl_type, ssl_cipher, x509_issuer, x509_subject  from mysql.user where user='testuser7';",
+				Expected: []sql.Row{{"testuser7", "SPECIFIED", encodings.StringToBytes("cipher"), encodings.StringToBytes(""), encodings.StringToBytes("")}},
+			},
+		},
+	},
 	{
 		Name: "Dynamic privilege support",
 		SetUpScript: []string{

diff --git a/sql/mysql_db/fbs/mysql_db.fbs b/sql/mysql_db/fbs/mysql_db.fbs
@@ -54,6 +54,10 @@ table User {
     locked:bool;
     attributes:string; // represents *string
     identity:string;
+    ssl_type:string;
+    ssl_cipher:string;
+    x509_issuer:string;
+    x509_subject:string;
 }
 
 // Entries in the role_edges table

diff --git a/sql/mysql_db/mysql_db_load.go b/sql/mysql_db/mysql_db_load.go
@@ -137,6 +137,10 @@ func LoadUser(serialUser *serial.User) *User {
 		Locked:              serialUser.Locked(),
 		Attributes:          attributes,
 		Identity:            string(serialUser.Identity()),
+		SslType:             string(serialUser.SslType()),
+		SslCipher:           string(serialUser.SslCipher()),
+		X509Issuer:          string(serialUser.X509Issuer()),
+		X509Subject:         string(serialUser.X509Subject()),
 	}
 }
 

diff --git a/sql/mysql_db/mysql_db_serialize.go b/sql/mysql_db/mysql_db_serialize.go
@@ -172,6 +172,10 @@ func serializeUser(b *flatbuffers.Builder, users []*User) flatbuffers.UOffsetT {
 		authString := b.CreateString(user.AuthString)
 		attributes := serializeAttributes(b, user.Attributes)
 		identity := b.CreateString(user.Identity)
+		sslType := b.CreateString(user.SslType)
+		sslCipher := b.CreateString(user.SslCipher)
+		x509Issuer := b.CreateString(user.X509Issuer)
+		x509Subject := b.CreateString(user.X509Subject)
 
 		serial.UserStart(b)
 		serial.UserAddUser(b, userName)
@@ -183,6 +187,10 @@ func serializeUser(b *flatbuffers.Builder, users []*User) flatbuffers.UOffsetT {
 		serial.UserAddLocked(b, user.Locked)
 		serial.UserAddAttributes(b, attributes)
 		serial.UserAddIdentity(b, identity)
+		serial.UserAddSslType(b, sslType)
+		serial.UserAddSslCipher(b, sslCipher)
+		serial.UserAddX509Issuer(b, x509Issuer)
+		serial.UserAddX509Subject(b, x509Subject)
 
 		offsets[len(users)-i-1] = serial.UserEnd(b) // reverse order
 	}