0

I'm currently trying to use SSL to connect to a 10.1.26-MariaDB-1 server. but it's throwing this error after I pass the ssl parameters.

I've tried by looking within the PyMySQL docs but it doesn't bring any insights.

this is my code:

import pymysql 

conn = pymysql.connect(
       host=creds["DB_OP_HOST"],
       port=creds["DB_OP_PORT"],
       user=creds["DB_OP_USER"],
       password=creds["DB_OP_PASSWORD"],
       db=creds["DB_OP_DATABASE"],
       charset=creds["DB_OP_CHARSET"],
       cursorclass=pymysql.cursors.DictCursor,
       ssl = {
           'key': creds['DB_OP_KEY'],
           'cert': creds['DB_OP_CERT'],
           'ca': creds['DB_OP_CA'],
              }
    )

this throws: "[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3824)"

there are some post that shows the ssl key like this:

...
ssl = {
      'ssl': {
            'key': creds['DB_OP_KEY'],
            'cert': creds['DB_OP_CERT'],
            'ca': creds['DB_OP_CA'],
      }
}

but this throws: (2003, "Can't connect to MySQL server on '10.0.16.18' ([SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056))")

python v: 3.7.4

PyMySQL==0.9.3

Alejandro Olaria
  • 43
  • 1
  • 7
  • This means that the **CA** certificate is too weak, not your certificate. You would probably be able to workaround the problem by just using another certificate from another CA. This happens with new versions of OpenSSL, starting with 1.1. If you generate your certificates yourself, including the CA, you need to make sure they all are done with default_md=sha256 and NOT default_md=md5 in your openssl configuration. – Patrick Mevzek Sep 20 '19 at 18:36
  • See https://stackoverflow.com/questions/52218876/how-to-fix-ssl-issue-ssl-ctx-use-certificate-ca-md-too-weak-on-python-zeep – Patrick Mevzek Sep 20 '19 at 18:38
  • BTW your two code snippers for 'ssl' are exactly the same.... – Patrick Mevzek Sep 20 '19 at 18:39
  • I've recently checked that all my certs were signed with sha256 and I still getting the error. – Alejandro Olaria Sep 23 '19 at 12:40
  • Like I said it is the CA certificate on which the error is reported, not leaf ones. And since you are not showing the certificates no one can help you really in more detail. – Patrick Mevzek Sep 23 '19 at 14:50

0 Answers0