在撰写本文时,使用mysql连接器python 2.1.4来自Oracle的纯python模块(您使用的是2.1.3版本的fork)支持连接字符串中未记录的连接配置kwargssl_cipher(因为它基本上会将其传递给python的ssl模块)。因此,从密码列表中去掉所有Diffie-Hellman密码,就可以解决这个问题了,这取决于mysql服务器是否支持非Diffie-Hellman密码。以下是针对MySQL 5.6.17-65.0-rel65.0-log的官方python2.7.12amd64 win32。注意:这只在处理模块的纯python版本时才起作用!。如果使用编译后的C扩展模块,它可能不接受ssl_cipher,YMMV。在import mysql.connector
import getpass
dsn = {
'database': 'INFORMATION_SCHEMA',
'host': 'mysqlserver',
'port': '3306',
'ssl_ca': '',
# ^^^ this sets cert_reqs = ssl.CERT_NONE
# in mysql/connector/network.py:415
# so no server cert verification is attempted
'use_pure': True
# setting ssl_cipher may only work with the pure python driver
# but this is the default anyway
}
dsn['user'] = raw_input('Enter Username: ')
dsn['password'] = getpass.getpass('Enter password: ')
try:
dbconn = mysql.connector.connect(**dsn)
# this will raise the 'Weak DH key' exception
except mysql.connector.errors.InterfaceError as e:
print e
dsn['ssl_cipher'] = 'HIGH:!DH:!aNULL'
# this is a standard openssl ciphersuite string
# where !DH and !aNULL means don't use any DH ciphers or null ciphers
# this option is officially undocumented
try:
dbconn = mysql.connector.connect(**dsn)
except mysql.connector.errors.InterfaceError:
raise
else:
assert isinstance(dbconn, mysql.connector.connection.MySQLConnection)
香肠是怎么做的
在mysql connector python 2.1.4中,模块源代码中的以下行显示了这一点的工作原理:
mysql/connector/abstracts.py: Lines 298 - 313:
^{pr2}$
然后在mysql/connector/connection.py lines 130-134:if client_flags & ClientFlag.SSL and ssl_options:
packet = self._protocol.make_auth_ssl(charset=charset,
client_flags=client_flags)
self._socket.send(packet)
self._socket.switch_to_ssl(**ssl_options)
_socket.switch_to_ssl()位于mysql/connector/network.py lines 406-421:def switch_to_ssl(self, ca, cert, key, verify_cert=False, cipher=None):
"""Switch the socket to use SSL"""
if not self.sock:
raise errors.InterfaceError(errno=2048)
try:
if verify_cert:
cert_reqs = ssl.CERT_REQUIRED
else:
cert_reqs = ssl.CERT_NONE
self.sock = ssl.wrap_socket(
self.sock, keyfile=key, certfile=cert, ca_certs=ca,
cert_reqs=cert_reqs, do_handshake_on_connect=False,
ssl_version=ssl.PROTOCOL_TLSv1, ciphers=cipher)
self.sock.do_handshake()