Bug #69418 MySQL Connector/Python - Use of SSL should not require ssl_cert and ssl_key
Submitted: 7 Jun 2013 0:07 Modified: 14 Feb 2014 3:17
Reporter: Patrick Ellul Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / Python Severity:S3 (Non-critical)
Version:1.0.10 OS:Any
Assigned to: Peeyush Gupta CPU Architecture:Any

[7 Jun 2013 0:07] Patrick Ellul
Description:
I should be able to have the following SSL configuration accepted for the connection:

{
        'user': 'a_user',
        'password': 'a_password',
        'host': 'my-rds-db.hfhfrhhfyh.us-west-1.rds.amazonaws.com',
        'database': 'a_database',
        'ssl_ca': '/Users/xyz/Downloads/mysql-ssl-ca-cert.pem',
        'ssl_verify_cert': True,
        'ssl_key': None,
        'ssl_cert': None
}

This is because in general cases, I just want to talk to my database over SSL and verify the server cert using the ca, without the server needing to verify my own identity.

This is possible with most mysql clients.

It is the most simple case for SSL use. 

For example, Amazon RDS MySQL gives the developer their server's CA cert ( http://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem ) so that clients can talk to it over SSL and be sure they are talking to the right server. But in this case there is no need for the server to verify the client.

 

How to repeat:
Try to connect to a database using configuration similar to the following:

{
        'user': 'a_user',
        'password': 'a_password',
        'host': 'my-rds-db.hfhfrhhfyh.us-west-1.rds.amazonaws.com',
        'database': 'a_database',
        'ssl_ca': '/Users/xyz/Downloads/mysql-ssl-ca-cert.pem',
        'ssl_verify_cert': True,
        'ssl_key': None,
        'ssl_cert': None
}

The connector throws an exception because it requires that 'ssl_key' and  'ssl_cert' are not None

Suggested fix:
The suggested fix is the following:

In your connection.py, line 273,

change:
    elif key.startswith('ssl_') and value:
to:
    elif key.startswith('ssl_'):

I have tried this and it works perfectly with the suggested configuration.
[14 Feb 2014 3:17] Paul Dubois
Noted in 1.2.1 changelog.

It was not possible to initiate an SSL session without explicitly 
giving a key and certificate. Now it is possible to connect to a
MySQL server using only the ssl_ca connection argument pointing to a
file of CA certificates. This means the ssl_key and ssl_cert
connection arguments are optional. However, when either is given,
both must be given or an AttributeError is raised.