5

I'm trying to connect to a MySQL DB that requires SSL (only doing server authentication, not mutual). I have the server's CA saved as a .pem in the same directory I'm running the script from. My connection string looks like this:

ssl_settings = {'ca':'ca.pem'}
conn = MySQLdb.connect(host=HOST, user=USER, passwd=PASS, db=DB, ssl=ssl_settings}

This results in "Error 2026: SSL connection error". However, if I change ssl_settings to:

ssl_settings = {'key':'ca.pem'}

The database connects just fine and the script executes. From my understanding of the SSL parameters, 'cert' and 'key' should only be for client authentication to the server, so is there any reason the latter SSL settings seem to work and why specifying the CA file does not?

Python 2.4.3 (old, I know)
MySQL-python 1.2.1

Improve this question
1
  • As a side note, oursql (packages.python.org/oursql) is supposed to have several advantages over MySQLdb. Commented Sep 2, 2011 at 19:13

2 Answers 2

Reset to default
3

Note: this bug has since been fixed. Per the bug:

Noted in 5.1.66, 5.5.28, 5.6.7, 5.7.0 changelogs.

The argument to the --ssl-key option was not verified to exist and be a valid key. The resulting connection used SSL, but the key was not used.

Old answer

For a much better description than I can give, see http://bugs.mysql.com/bug.php?id=62743 and http://www.chriscalender.com/?p=325.

From my (admittedly uneducated) understanding, it is a MySQL bug. As long as you specify only a key (as you're doing in the example that works), MySQL sets the SSL connection and you're granted access. The other interesting part is that you can change the key value to be anything at all, so in your example, you could do:

ssl_settings = {'key': 'randomstuff'}

and it should still connect.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

you can change the key value to be anything at all

I see the same behavior too with MySQLdb version 1.3.12. To setup an SSL connection using MySQLdb, setting the ssl argument to anything still works (I'm using Python3):

$ python
Python 3.6.8 (default, Dec 26 2018, 09:19:39) 
>>> import MySQLdb
>>> MySQLdb.__version__
'1.3.12'
>>> db = MySQLdb.connect(host='10.105.136.101', user='my-user', passwd='myPassword', ssl={'ssl' : {'ca': '/junk/file'}})
>>> db
<_mysql.connection open to '10.105.136.101' at 561aaa994f98>

Setting ssl above to a non-existent certificate /junk/file still works fine without any error.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.