windows: use DEFAULT_SSL_VERIFY_SERVER_CERT=0 option (#731)

2025-08-14 18:12:35 +08:00 · 2024-11-12 19:06:52 +09:00
parent 6eb6c2f879
commit 89511eef44
2 changed files with 45 additions and 24 deletions
--- a/.github/workflows/windows.yaml
+++ b/.github/workflows/windows.yaml
@ -17,7 +17,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: c:/mariadb-connector
-          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win
+          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win-2

      - name: Download and Unzip Connector
        if: steps.cache-connector.outputs.cache-hit != 'true'
@ -27,15 +27,32 @@ jobs:
          unzip "mariadb-connector-c-${CONNECTOR_VERSION}-src.zip" -d c:/
          mv "c:/mariadb-connector-c-${CONNECTOR_VERSION}-src" c:/mariadb-connector-src

-      - name: Build Connector
+      - name: make build directory
        if: steps.cache-connector.outputs.cache-hit != 'true'
        shell: cmd
        working-directory: c:/mariadb-connector-src
        run: |
          mkdir build
-          cd build
-          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static
+
+      - name: cmake
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
+          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static -DDEFAULT_SSL_VERIFY_SERVER_CERT=0
+
+      - name: cmake build
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
          cmake --build . -j 8 --config Release
+
+      - name: cmake install
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
          cmake -DCMAKE_INSTALL_PREFIX=c:/mariadb-connector -DCMAKE_INSTALL_COMPONENT=Development -DCMAKE_BUILD_TYPE=Release -P cmake_install.cmake

      - name: Checkout mysqlclient
--- a/src/MySQLdb/_mysql.c
+++ b/src/MySQLdb/_mysql.c
@ -543,23 +543,30 @@ _mysql_ConnectionObject_Initialize(
        mysql_options(&(self->connection), MYSQL_OPT_SSL_CIPHER, cipher);
    }

-    if (ssl_mode_set) {
 #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE
+    if (ssl_mode_set) {
        mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num);
-#else
-        // MariaDB doesn't support MYSQL_OPT_SSL_MODE.
-        // See https://github.com/PyMySQL/mysqlclient/issues/474
-        // TODO: Does MariaDB supports PREFERRED and VERIFY_CA?
-        // We support only two levels for now.
-        my_bool enforce_tls = 1;
-        if (ssl_mode_num >= SSLMODE_REQUIRED) {
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls);
-        }
-        if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls);
-        }
-#endif
    }
+#else
+    // MariaDB doesn't support MYSQL_OPT_SSL_MODE.
+    // See https://github.com/PyMySQL/mysqlclient/issues/474
+    // And MariDB 11.4 changed the default value of MYSQL_OPT_SSL_ENFORCE and
+    // MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
+    // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57
+    // We emulate the ssl_mode and old behavior.
+    my_bool my_true = 1;
+    my_bool my_false = 0;
+    if (ssl_mode_num >= SSLMODE_REQUIRED) {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_true);
+    } else {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_false);
+    }
+    if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_true);
+    } else {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
+    }
+#endif

    if (charset) {
        mysql_options(&(self->connection), MYSQL_SET_CHARSET_NAME, charset);
@ -573,12 +580,9 @@ _mysql_ConnectionObject_Initialize(
                  port, unix_socket, client_flag);
    Py_END_ALLOW_THREADS

-    if (ssl) {
-        int i;
-        for (i=0; i<n_ssl_keepref; i++) {
-            Py_DECREF(ssl_keepref[i]);
-            ssl_keepref[i] = NULL;
-        }
+    for (int i=0; i<n_ssl_keepref; i++) {
+        Py_DECREF(ssl_keepref[i]);
+        ssl_keepref[i] = NULL;
    }

    if (!conn) {