From 41b701d96f038b1f9fe4dd09d83c06faee811bf6 Mon Sep 17 00:00:00 2001 From: Scott Nemes Date: Tue, 23 Dec 2025 21:55:24 -0800 Subject: [PATCH 1/2] [feat] Update SSL option to connect securely by default --- changelog.md | 6 +++++- mycli/main.py | 2 +- test/features/db_utils.py | 31 ++++++++++++++++++++++++++++--- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/changelog.md b/changelog.md index f2132346..7fd9fa36 100644 --- a/changelog.md +++ b/changelog.md @@ -1,6 +1,10 @@ -1.42.0 (2025/12/20) +Upcoming (TBD) ============== +Features +-------- +* Update the default SSL value to connect securely by default. + Bug Fixes -------- * Update the prompt display logic to handle an edge case where a socket is used without diff --git a/mycli/main.py b/mycli/main.py index 6f9965b5..3e948b78 100755 --- a/mycli/main.py +++ b/mycli/main.py @@ -1343,7 +1343,7 @@ def get_last_query(self) -> str | None: @click.option("--ssh-key-filename", help="Private key filename (identify file) for the ssh connection.") @click.option("--ssh-config-path", help="Path to ssh configuration.", default=os.path.expanduser("~") + "/.ssh/config") @click.option("--ssh-config-host", help="Host to connect to ssh server reading from ssh configuration.") -@click.option("--ssl", "ssl_enable", is_flag=True, help="Enable SSL for connection (automatically enabled with other flags).") +@click.option("--ssl", "ssl_enable", is_flag=True, default=True, help="Enable SSL for connection (automatically enabled with other flags).") @click.option("--ssl-ca", help="CA file in PEM format.", type=click.Path(exists=True)) @click.option("--ssl-capath", help="CA directory.") @click.option("--ssl-cert", help="X509 cert in PEM format.", type=click.Path(exists=True)) diff --git a/test/features/db_utils.py b/test/features/db_utils.py index 5c81b661..4a2813a4 100644 --- a/test/features/db_utils.py +++ b/test/features/db_utils.py @@ -1,5 +1,7 @@ # type: ignore +import ssl + import pymysql @@ -14,8 +16,11 @@ def create_db(hostname="localhost", port=3306, username=None, password=None, dbn :return: """ + ctx = ssl.create_default_context() + ctx.check_hostname = False + ctx.verify_mode = ssl.VerifyMode.CERT_NONE cn = pymysql.connect( - host=hostname, port=port, user=username, password=password, charset="utf8mb4", cursorclass=pymysql.cursors.DictCursor + host=hostname, port=port, user=username, password=password, charset="utf8mb4", cursorclass=pymysql.cursors.DictCursor, ssl=ctx ) with cn.cursor() as cr: @@ -39,8 +44,18 @@ def create_cn(hostname, port, password, username, dbname): :return: psycopg2.connection """ + ctx = ssl.create_default_context() + ctx.check_hostname = False + ctx.verify_mode = ssl.VerifyMode.CERT_NONE cn = pymysql.connect( - host=hostname, port=port, user=username, password=password, db=dbname, charset="utf8mb4", cursorclass=pymysql.cursors.DictCursor + host=hostname, + port=port, + user=username, + password=password, + db=dbname, + charset="utf8mb4", + cursorclass=pymysql.cursors.DictCursor, + ssl=ctx, ) return cn @@ -56,8 +71,18 @@ def drop_db(hostname="localhost", port=3306, username=None, password=None, dbnam :param dbname: string """ + ctx = ssl.create_default_context() + ctx.check_hostname = False + ctx.verify_mode = ssl.VerifyMode.CERT_NONE cn = pymysql.connect( - host=hostname, port=port, user=username, password=password, db=dbname, charset="utf8mb4", cursorclass=pymysql.cursors.DictCursor + host=hostname, + port=port, + user=username, + password=password, + db=dbname, + charset="utf8mb4", + cursorclass=pymysql.cursors.DictCursor, + ssl=ctx, ) with cn.cursor() as cr: From ba33233bcf887aa344c594fcc1082e71cda22031 Mon Sep 17 00:00:00 2001 From: Scott Nemes Date: Tue, 23 Dec 2025 22:38:31 -0800 Subject: [PATCH 2/2] Added the --no-ssl option. Updated the changelog. Added to the .gitignore to be less annoying. --- .gitignore | 3 +++ changelog.md | 2 +- mycli/main.py | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 970fcd4f..1fb195db 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,6 @@ .venv/ venv/ + +.myclirc +uv.lock diff --git a/changelog.md b/changelog.md index 7fd9fa36..cc29055d 100644 --- a/changelog.md +++ b/changelog.md @@ -3,7 +3,7 @@ Upcoming (TBD) Features -------- -* Update the default SSL value to connect securely by default. +* Update the default SSL value to connect securely by default. Add a --no-ssl option to disable it. Bug Fixes -------- diff --git a/mycli/main.py b/mycli/main.py index 3e948b78..9062c1b3 100755 --- a/mycli/main.py +++ b/mycli/main.py @@ -1343,7 +1343,9 @@ def get_last_query(self) -> str | None: @click.option("--ssh-key-filename", help="Private key filename (identify file) for the ssh connection.") @click.option("--ssh-config-path", help="Path to ssh configuration.", default=os.path.expanduser("~") + "/.ssh/config") @click.option("--ssh-config-host", help="Host to connect to ssh server reading from ssh configuration.") -@click.option("--ssl", "ssl_enable", is_flag=True, default=True, help="Enable SSL for connection (automatically enabled with other flags).") +@click.option( + "--ssl/--no-ssl", "ssl_enable", is_flag=True, default=True, help="Enable SSL for connection (automatically enabled with other flags)." +) @click.option("--ssl-ca", help="CA file in PEM format.", type=click.Path(exists=True)) @click.option("--ssl-capath", help="CA directory.") @click.option("--ssl-cert", help="X509 cert in PEM format.", type=click.Path(exists=True))