mysql-connector-python/lib/mysql/connector/aio/network.py [660:713]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - try: if tls_versions: tls_versions.sort(reverse=True) tls_version = tls_versions[0] ssl_protocol = TLS_VERSIONS[tls_version] context = ssl.SSLContext(ssl_protocol) if tls_version == "TLSv1.3": if "TLSv1.2" not in tls_versions: context.options |= ssl.OP_NO_TLSv1_2 if "TLSv1.1" not in tls_versions: context.options |= ssl.OP_NO_TLSv1_1 if "TLSv1" not in tls_versions: context.options |= ssl.OP_NO_TLSv1 else: context = ssl.create_default_context() context.check_hostname = ssl_verify_identity if ssl_verify_cert: context.verify_mode = ssl.CERT_REQUIRED elif ssl_verify_identity: context.verify_mode = ssl.CERT_OPTIONAL else: context.verify_mode = ssl.CERT_NONE context.load_default_certs() if ssl_ca: try: context.load_verify_locations(ssl_ca) except (IOError, ssl.SSLError) as err: raise InterfaceError(f"Invalid CA Certificate: {err}") from err if ssl_cert: try: context.load_cert_chain(ssl_cert, ssl_key) except (IOError, ssl.SSLError) as err: raise InterfaceError(f"Invalid Certificate/Key: {err}") from err # TLSv1.3 ciphers cannot be disabled with `SSLContext.set_ciphers(...)`, # see https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers. if tls_cipher_suites and tls_version == "TLSv1.2": context.set_ciphers(":".join(tls_cipher_suites)) return context except NameError as err: raise NotSupportedError("Python installation has no SSL support") from err except ( IOError, NotImplementedError, ssl.CertificateError, ssl.SSLError, ) as err: raise InterfaceError(str(err)) from err - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - mysql-connector-python/lib/mysql/connector/network.py [570:624]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - try: if tls_versions: tls_versions.sort(reverse=True) tls_version = tls_versions[0] ssl_protocol = TLS_VERSIONS[tls_version] context = ssl.SSLContext(ssl_protocol) if tls_version == "TLSv1.3": if "TLSv1.2" not in tls_versions: context.options |= ssl.OP_NO_TLSv1_2 if "TLSv1.1" not in tls_versions: context.options |= ssl.OP_NO_TLSv1_1 if "TLSv1" not in tls_versions: context.options |= ssl.OP_NO_TLSv1 else: # `check_hostname` is True by default context = ssl.create_default_context() context.check_hostname = ssl_verify_identity if ssl_verify_cert: context.verify_mode = ssl.CERT_REQUIRED elif ssl_verify_identity: context.verify_mode = ssl.CERT_OPTIONAL else: context.verify_mode = ssl.CERT_NONE context.load_default_certs() if ssl_ca: try: context.load_verify_locations(ssl_ca) except (IOError, ssl.SSLError) as err: raise InterfaceError(f"Invalid CA Certificate: {err}") from err if ssl_cert: try: context.load_cert_chain(ssl_cert, ssl_key) except (IOError, ssl.SSLError) as err: raise InterfaceError(f"Invalid Certificate/Key: {err}") from err # TLSv1.3 ciphers cannot be disabled with `SSLContext.set_ciphers(...)`, # see https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers. if tls_cipher_suites and tls_version == "TLSv1.2": context.set_ciphers(":".join(tls_cipher_suites)) return context except NameError as err: raise NotSupportedError("Python installation has no SSL support") from err except ( IOError, NotImplementedError, ssl.CertificateError, ssl.SSLError, ) as err: raise InterfaceError(str(err)) from err - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -