fix: Add warning on SSL fallback and improve TLS tests

dimitri-yatsenko · claude · dimitri-yatsenko · commit c416807c3a25 · 2026-01-19T11:35:53.000-06:00
Changes:
- Log warning when SSL connection fails and falls back to non-SSL
- Explicitly pass use_tls=False in fallback (clearer intent)
- Split test_secure_connection into:
  - test_explicit_ssl_connection: verifies use_tls=True requires SSL
  - test_ssl_auto_detect: verifies auto-detect behavior with fallback

The new tests are more robust:
- test_explicit_ssl_connection fails if SSL isn't working
- test_ssl_auto_detect passes whether SSL works or falls back,
  but verifies warning is logged on fallback

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/datajoint/connection.py b/src/datajoint/connection.py
@@ -223,17 +223,22 @@ def connect(self) -> None:
                     charset=config["connection.charset"],
                     use_tls=self.conn_info.get("ssl"),
                 )
-            except Exception:
+            except Exception as ssl_error:
                 # If SSL fails, retry without SSL (if it was auto-detected)
                 if self.conn_info.get("ssl_input") is None:
+                    logger.warning(
+                        "SSL connection failed (%s). Falling back to non-SSL connection. "
+                        "To require SSL, set use_tls=True explicitly.",
+                        ssl_error,
+                    )
                     self._conn = self.adapter.connect(
                         host=self.conn_info["host"],
                         port=self.conn_info["port"],
                         user=self.conn_info["user"],
                         password=self.conn_info["passwd"],
                         init_command=self.init_fun,
                         charset=config["connection.charset"],
-                        use_tls=None,
+                        use_tls=False,  # Explicitly disable SSL for fallback
                     )
                 else:
                     raise
diff --git a/tests/integration/test_tls.py b/tests/integration/test_tls.py
@@ -1,21 +1,40 @@
+import logging
+
 import pytest
 from pymysql.err import OperationalError
 
 import datajoint as dj
 
 
-@pytest.mark.xfail(reason="SSL auto-detection needs investigation - may be MySQL container config issue")
-def test_secure_connection(db_creds_test, connection_test):
-    result = dj.conn(reset=True, **db_creds_test).query("SHOW STATUS LIKE 'Ssl_cipher';").fetchone()[1]
-    assert len(result) > 0
+def test_explicit_ssl_connection(db_creds_test, connection_test):
+    """When use_tls=True is specified, SSL must be active."""
+    result = dj.conn(use_tls=True, reset=True, **db_creds_test).query("SHOW STATUS LIKE 'Ssl_cipher';").fetchone()[1]
+    assert len(result) > 0, "SSL should be active when use_tls=True"
+
+
+def test_ssl_auto_detect(db_creds_test, connection_test, caplog):
+    """When use_tls is not specified, SSL is preferred but fallback is allowed with warning."""
+    with caplog.at_level(logging.WARNING):
+        conn = dj.conn(reset=True, **db_creds_test)
+        result = conn.query("SHOW STATUS LIKE 'Ssl_cipher';").fetchone()[1]
+
+    if len(result) > 0:
+        # SSL connected successfully
+        assert "SSL connection failed" not in caplog.text
+    else:
+        # SSL failed and fell back - warning should be logged
+        assert "SSL connection failed" in caplog.text
+        assert "Falling back to non-SSL" in caplog.text
 
 
 def test_insecure_connection(db_creds_test, connection_test):
+    """When use_tls=False, SSL should not be used."""
     result = dj.conn(use_tls=False, reset=True, **db_creds_test).query("SHOW STATUS LIKE 'Ssl_cipher';").fetchone()[1]
     assert result == ""
 
 
 def test_reject_insecure(db_creds_test, connection_test):
+    """Users with REQUIRE SSL cannot connect without SSL."""
     with pytest.raises(OperationalError):
         dj.conn(
             db_creds_test["host"],
