Bug #79825 No option to disable SSL/TLS
Submitted: 3 Jan 2016 0:12 Modified: 5 Jan 2016 12:40
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / Python Severity:S3 (Non-critical)
Version:2.1.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, tls

[3 Jan 2016 0:12] Daniël van Eeden
Description:
With the mysql client it is possible to disable SSL with: '--ssl=OFF', but there is no similar option for Connector/Python.

With MySQL 5.7.10 the server tries to enable SSL by default (and with mysql_ssl_rsa_setup) and libmysqlclient.so.20 enables SSL by default if available. (http://mysqlserverteam.com/secure-by-default-in-mysql-5-7/)

It is nice that SSL/TLS is enabled by default, but there is no good way of disabling it. I want to disable it to test the performance difference between TLS and non-TLS connections.

Note that this is limited to the C Extension. With pure Python TLS is not enabled by default (I have to use ssl_ca on the clientside to enable it).

How to repeat:
Setup MySQL 5.7.10+ with TLS enabled (the default).
Connect with MySQL Connector/Python (with C Extension enabled, use_pure=False)

This should result in a TLS connection. (use status variables like ssl_cipher and ssl_version to confirm)
Now try to disable TLS.

Suggested fix:
Add a use_ssl option which can be set to 'False' to disable SSL/TLS and to 'True' to enable it. (default should be to use SSL if available, 'None')
[5 Jan 2016 12:40] Chiranjeevi Battula
Hello Daniël,

Thank you for the bug report.
Verified based on internal discussion with dev's.

Thanks,
Chiranjeevi.
[27 Mar 2019 14:59] Jose Israel Gomez Delgado
Posted by developer:
 
This request has already fixed in BUG#21947091: Add ssl_disabled option

The use of the `ssl_disabled` connection option while is set to `True` it will disable the use of the SSL/TLS; which used by default (`ssl_disabled=False`) on pure Python and c-ext implementations.
[27 Mar 2019 17:15] Jose Israel Gomez Delgado
Posted by developer:
 
The `ssl_disabled` connection option is missing from the documentation page, this will be fixed in a separate bug;
Bug#29546797: MISSING SSL_DISABLED CONNECTION OPTION IN DOCUMENTATION PAGE