Skip to content

Reorganize TLS options: implement PREFERRED/REQUIRED SSL mode behavior#1234

Merged
methane merged 11 commits into
mainfrom
copilot/add-ssl-mode-required-option
May 8, 2026
Merged

Reorganize TLS options: implement PREFERRED/REQUIRED SSL mode behavior#1234
methane merged 11 commits into
mainfrom
copilot/add-ssl-mode-required-option

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 7, 2026
edited
Loading

PyMySQL had no way to emulate MySQL's ssl_mode=REQUIRED, and ssl_disabled was effectively a no-op. This reorganizes TLS behavior around a clear priority order without adding new options.

Behavior

Evaluated in order:

  1. ssl_disabled=True → prohibit SSL
  2. Any explicit SSL option set (ssl, ssl_ca, ssl_cert, ssl_key, ssl_key_password, ssl_verify_cert, ssl_verify_identity) → REQUIRED: raises OperationalError(CR_SSL_CONNECTION_ERROR) if the server doesn't advertise CLIENT.SSL
  3. No SSL options → PREFERRED: attempt SSL if the server supports it, fall back to plain connection otherwise
# Now raises OperationalError if server doesn't support SSL
conn = pymysql.connect(host=..., ssl_ca="/path/to/ca.pem")

# Silently falls back to plaintext if server has no SSL — no config needed
conn = pymysql.connect(host=...)

# Explicitly opt out
conn = pymysql.connect(host=..., ssl_disabled=True)

Changes

  • connections.py

    • Added self._ssl_required to distinguish REQUIRED vs PREFERRED at connect time
    • PREFERRED mode: creates a default no-verify SSLContext via _create_ssl_ctx({}) when no SSL options are given and the ssl module is available
    • _request_authentication: refactored into a client_flags/_do_ssl pattern — CLIENT.SSL is added to the handshake flags only when the SSL upgrade actually happens (needed for PREFERRED, already set for REQUIRED); raises on REQUIRED + no server SSL; falls back silently for PREFERRED

  • tests/test_connection.py: new tests covering PREFERRED setup, REQUIRED error path (with CA context assertion), and PREFERRED fallback

  • CHANGELOG.md: documents the behavior change

Copilot AI linked an issue May 7, 2026 that may be closed by this pull request
Option to emulate ssl_mode=REQUIRED in mysql #1233
Closed
github-advanced-security[bot]
github-advanced-security AI found potential problems May 7, 2026
View reviewed changes
Comment thread pymysql/connections.py Fixed
Copilot AI and others added 5 commits May 7, 2026 09:59
@methane
Address review feedback: remove unused imports, add clarifying comments
8885a64 
Agent-Logs-Url: https://github.com/PyMySQL/PyMySQL/sessions/d0cfb9b3-3558-4762-a4ff-6c575f1e6dc7

Co-authored-by: methane <199592+methane@users.noreply.github.com>
@methane
Eliminate redundant data_init pre-computation
79ebfd4 
Agent-Logs-Url: https://github.com/PyMySQL/PyMySQL/sessions/d0cfb9b3-3558-4762-a4ff-6c575f1e6dc7

Co-authored-by: methane <199592+methane@users.noreply.github.com>
@methane
Address review: document CLIENT.SSL flag, verify CA context creation …
352bc3a 
…in test

Agent-Logs-Url: https://github.com/PyMySQL/PyMySQL/sessions/d0cfb9b3-3558-4762-a4ff-6c575f1e6dc7

Co-authored-by: methane <199592+methane@users.noreply.github.com>
@methane
Refactor data_init to eliminate duplication using client_flags local …
b2b25cc 
…variable

Agent-Logs-Url: https://github.com/PyMySQL/PyMySQL/sessions/d0cfb9b3-3558-4762-a4ff-6c575f1e6dc7

Co-authored-by: methane <199592+methane@users.noreply.github.com>
@methane
Polish: consolidate _do_ssl comment, simplify error message
61be2dc 
Agent-Logs-Url: https://github.com/PyMySQL/PyMySQL/sessions/d0cfb9b3-3558-4762-a4ff-6c575f1e6dc7

Co-authored-by: methane <199592+methane@users.noreply.github.com>
Copilot AI changed the title [WIP] Add option to emulate ssl_mode=REQUIRED in MySQL Reorganize TLS options: implement PREFERRED/REQUIRED SSL mode behavior May 7, 2026
Copilot AI requested a review from methane May 7, 2026 10:08
Copilot finished work on behalf of methane May 7, 2026 10:08
methane
methane reviewed May 8, 2026
View reviewed changes
Comment thread pymysql/connections.py Outdated
Copilot AI requested a review from methane May 8, 2026 05:43
Copilot finished work on behalf of methane May 8, 2026 05:43
methane
methane reviewed May 8, 2026
View reviewed changes
Comment thread CHANGELOG.md
@methane methane marked this pull request as ready for review May 8, 2026 06:33
Copilot finished work on behalf of methane May 8, 2026 06:35
Copilot AI requested a review from methane May 8, 2026 06:35
methane added 2 commits May 8, 2026 18:42
@methane
Revise changelog for v1.2.0 breaking changes
146312f 
Updated changelog to reflect breaking changes in v1.2.0.
@methane
ruff format
ba2cba9
@methane methane merged commit 8e3a79d into main May 8, 2026
23 of 25 checks passed
@methane methane deleted the copilot/add-ssl-mode-required-option branch May 8, 2026 10:14
This was referenced May 8, 2026
Closed
Closed
Copilot AI mentioned this pull request May 15, 2026
Merged
methane pushed a commit that referenced this pull request May 15, 2026
Prepare CHANGELOG for v1.2.0 release from v1.1.3 changes (#1238)
af6b9b4 
- update `CHANGELOG.md` for `v1.2.0` release preparation
- add `Release date: TBD`
- add changelog entries for user-visible changes since `v1.1.3` (#1234,
#1235, #1236, #1237)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@methane methane Awaiting requested review from methane

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@methane methane

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Option to emulate ssl_mode=REQUIRED in mysql

3 participants

@methane @github-advanced-security