CA SSL parameter for Python MySQLdb not working, but key does?_问答_开发者

CA SSL parameter for Python MySQLdb not working, but key does?

开发者 https://www.devze.com 2023-04-01 21:06 出处：网络

I\'m trying to connect to a MySQL DB that requires SSL (开发者_C百科only doing server authentication, not mutual).I have the server\'s CA saved as a .pem in the same directory I\'m running the script

I'm trying to connect to a MySQL DB that requires SSL (开发者_C百科only doing server authentication, not mutual). I have the server's CA saved as a .pem in the same directory I'm running the script from. My connection string looks like this:

ssl_settings = {'ca':'ca.pem'}
conn = MySQLdb.connect(host=HOST, user=USER, passwd=PASS, db=DB, ssl=ssl_settings}

This results in "Error 2026: SSL connection error". However, if I change ssl_settings to:

ssl_settings = {'key':'ca.pem'}

The database connects just fine and the script executes. From my understanding of the SSL parameters, 'cert' and 'key' should only be for client authentication to the server, so is there any reason the latter SSL settings seem to work and why specifying the CA file does not?

Python 2.4.3 (old, I know)

MySQL-python 1.2.1

Note: this bug has since been fixed. Per the bug:

Noted in 5.1.66, 5.5.28, 5.6.7, 5.7.0 changelogs.

The argument to the --ssl-key option was not verified to exist and be a valid key. The resulting connection used SSL, but the key was not used.

Old answer

For a much better description than I can give, see http://bugs.mysql.com/bug.php?id=62743 and http://www.chriscalender.com/?p=325.

From my (admittedly uneducated) understanding, it is a MySQL bug. As long as you specify only a key (as you're doing in the example that works), MySQL sets the SSL connection and you're granted access. The other interesting part is that you can change the key value to be anything at all, so in your example, you could do:

ssl_settings = {'key': 'randomstuff'}

and it should still connect.

you can change the key value to be anything at all

I see the same behavior too with MySQLdb version 1.3.12. To setup an SSL connection using MySQLdb, setting the ssl argument to anything still works (I'm using Python3):

$ python
Python 3.6.8 (default, Dec 26 2018, 09:19:39) 
>>> import MySQLdb
>>> MySQLdb.__version__
'1.3.12'
>>> db = MySQLdb.connect(host='10.105.136.101', user='my-user', passwd='myPassword', ssl={'ssl' : {'ca': '/junk/file'}})
>>> db
<_mysql.connection open to '10.105.136.101' at 561aaa994f98>

Setting ssl above to a non-existent certificate /junk/file still works fine without any error.