问题
I'm trying to connect to a MySQL DB that requires SSL (only doing server authentication, not mutual). I have the server's CA saved as a .pem in the same directory I'm running the script from. My connection string looks like this:
ssl_settings = {'ca':'ca.pem'}
conn = MySQLdb.connect(host=HOST, user=USER, passwd=PASS, db=DB, ssl=ssl_settings}
This results in "Error 2026: SSL connection error". However, if I change ssl_settings to:
ssl_settings = {'key':'ca.pem'}
The database connects just fine and the script executes. From my understanding of the SSL parameters, 'cert' and 'key' should only be for client authentication to the server, so is there any reason the latter SSL settings seem to work and why specifying the CA file does not?
Python 2.4.3 (old, I know)
MySQL-python 1.2.1
回答1:
Note: this bug has since been fixed. Per the bug:
Noted in 5.1.66, 5.5.28, 5.6.7, 5.7.0 changelogs.
The argument to the --ssl-key option was not verified to exist and be a valid key. The resulting connection used SSL, but the key was not used.
Old answer
For a much better description than I can give, see http://bugs.mysql.com/bug.php?id=62743 and http://www.chriscalender.com/?p=325.
From my (admittedly uneducated) understanding, it is a MySQL bug. As long as you specify only a key (as you're doing in the example that works), MySQL sets the SSL connection and you're granted access. The other interesting part is that you can change the key value to be anything at all, so in your example, you could do:
ssl_settings = {'key': 'randomstuff'}
and it should still connect.
回答2:
you can change the key value to be anything at all
I see the same behavior too with MySQLdb version 1.3.12. To setup an SSL connection using MySQLdb, setting the ssl argument to anything still works (I'm using Python3):
$ python
Python 3.6.8 (default, Dec 26 2018, 09:19:39)
>>> import MySQLdb
>>> MySQLdb.__version__
'1.3.12'
>>> db = MySQLdb.connect(host='10.105.136.101', user='my-user', passwd='myPassword', ssl={'ssl' : {'ca': '/junk/file'}})
>>> db
<_mysql.connection open to '10.105.136.101' at 561aaa994f98>
Setting ssl above to a non-existent certificate /junk/file still works fine without any error.
来源:https://stackoverflow.com/questions/7287088/ca-ssl-parameter-for-python-mysqldb-not-working-but-key-does