I am using sqlalchemy to connect to various DB's. When MySQL is in use, I want to force TLS connection. Meaning that if a secure connection was not obtained, we should not connect at all. So I added:
skip_sslto my.cnf and restarted MySQL server.
When I try to connect to the DB via command line:
mysql -h $host -u $user -p --ssl-ca=$ssl_ca --ssl-cert=$cert --ssl-key=$keyeverything works as expected. I am not connected and the following error is shown:
ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support itBut when I specify the same values to the create_engine method, via connect_args:
connect_args = {'ssl' : { 'ca': ca, 'key': client_key, 'cert': client_cert, }}It still connects just fine. How can I force the same behavior from within the sqlalchemy? So I am kicked off when SSL is disabled and I explicitly want to use SSL?
--You received this message because you are subscribed to the Google Groups "sqlalchemy-devel" group.To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy-dev...@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/sqlalchemy-devel/fcd4d49d-613b-44c9-a934-3688eb62ba7cn%40googlegroups.com.
You received this message because you are subscribed to a topic in the Google Groups "sqlalchemy-devel" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sqlalchemy-devel/mpyw1r-xvi0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sqlalchemy-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sqlalchemy-devel/8a72a035-8cbf-42bc-ba72-5aeed01df48d%40www.fastmail.com.
Hi Mike,1) I am using version 5.7, so this arg is fine2) It works as a server-side var as well. I tested it with the usual MySQL client, and if this option is set on the server, MySQL client throws me away, claiming that SSL is not supported. Which is exactly what I need in my application as well.3) I am using the standard mysqldb module. mysldb does not throw an exception when SSL dict is specified. Meaning when I create a simple script that just tries to connect using mysqldb directly. The connection is still established. But when I pass ssl_mode='REQUIRED', then everything works as expected. So I simply patched sqlalchemy with this option and now everything within sqlalchemy works fine as well.So my question is, should I create a PR for sqlalchemy? Because obviously always falling back to an unencrypted connection is a serious security caveat.
To view this discussion on the web visit https://groups.google.com/d/msgid/sqlalchemy-devel/CALW2zk5NpBS_Vgz64GgtxHceLtFovXui9jUBHcSSG%3D81pE%3DXYg%40mail.gmail.com.