MDEV-10054 Secure login fails when CIPHER is required

SSL: do not require client certificate to exist,
if GRANT didn't require that

Author: vuvova

mysql-test/r/ssl.result

@@ -2172,3 +2172,8 @@ NULL
 select 'still connected?';
 still connected?
 still connected?
+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+Variable_name	Value
+Ssl_cipher	EDH-RSA-DES-CBC3-SHA
+drop user mysqltest_1@localhost;

mysql-test/t/ssl.test

@@ -34,5 +34,10 @@ select 'still connected?';
 connection default;
 disconnect ssl_con;
 
+create user mysqltest_1@localhost;
+grant usage on mysqltest.* to mysqltest_1@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+--exec $MYSQL -umysqltest_1 --ssl-cipher=EDH-RSA-DES-CBC3-SHA -e "show status like 'ssl_cipher'" 2>&1
+drop user mysqltest_1@localhost;
+
 # Wait till all disconnects are completed
 --source include/wait_until_count_sessions.inc

sql/sql_acl.cc

@@ -12199,6 +12199,9 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
         return 1;
       }
     }
+    if (!acl_user->x509_issuer && !acl_user->x509_subject)
+      return 0; // all done
+
     /* Prepare certificate (if exists) */
     if (!(cert= SSL_get_peer_certificate(ssl)))
       return 1;