windows: use DEFAULT_SSL_VERIFY_SERVER_CERT=0 option (#731)

Author: methane

.github/workflows/windows.yaml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: c:/mariadb-connector
-          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win
+          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win-2
 
       - name: Download and Unzip Connector
         if: steps.cache-connector.outputs.cache-hit != 'true'
@@ -27,15 +27,32 @@ jobs:
           unzip "mariadb-connector-c-${CONNECTOR_VERSION}-src.zip" -d c:/
           mv "c:/mariadb-connector-c-${CONNECTOR_VERSION}-src" c:/mariadb-connector-src
 
-      - name: Build Connector
+      - name: make build directory
         if: steps.cache-connector.outputs.cache-hit != 'true'
         shell: cmd
         working-directory: c:/mariadb-connector-src
         run: |
           mkdir build
-          cd build
-          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static
+
+      - name: cmake
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
+          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static -DDEFAULT_SSL_VERIFY_SERVER_CERT=0
+
+      - name: cmake build
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
           cmake --build . -j 8 --config Release
+
+      - name: cmake install
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
           cmake -DCMAKE_INSTALL_PREFIX=c:/mariadb-connector -DCMAKE_INSTALL_COMPONENT=Development -DCMAKE_BUILD_TYPE=Release -P cmake_install.cmake
 
       - name: Checkout mysqlclient

src/MySQLdb/_mysql.c

@@ -543,23 +543,30 @@ _mysql_ConnectionObject_Initialize(
         mysql_options(&(self->connection), MYSQL_OPT_SSL_CIPHER, cipher);
     }
 
-    if (ssl_mode_set) {
 #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE
+    if (ssl_mode_set) {
         mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num);
+    }
 #else
-        // MariaDB doesn't support MYSQL_OPT_SSL_MODE.
-        // See https://github.com/PyMySQL/mysqlclient/issues/474
-        // TODO: Does MariaDB supports PREFERRED and VERIFY_CA?
-        // We support only two levels for now.
-        my_bool enforce_tls = 1;
-        if (ssl_mode_num >= SSLMODE_REQUIRED) {
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls);
-        }
-        if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls);
-        }
-#endif
+    // MariaDB doesn't support MYSQL_OPT_SSL_MODE.
+    // See https://github.com/PyMySQL/mysqlclient/issues/474
+    // And MariDB 11.4 changed the default value of MYSQL_OPT_SSL_ENFORCE and
+    // MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
+    // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57
+    // We emulate the ssl_mode and old behavior.
+    my_bool my_true = 1;
+    my_bool my_false = 0;
+    if (ssl_mode_num >= SSLMODE_REQUIRED) {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_true);
+    } else {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_false);
+    }
+    if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_true);
+    } else {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
     }
+#endif
 
     if (charset) {
         mysql_options(&(self->connection), MYSQL_SET_CHARSET_NAME, charset);
@@ -573,12 +580,9 @@ _mysql_ConnectionObject_Initialize(
                   port, unix_socket, client_flag);
     Py_END_ALLOW_THREADS
 
-    if (ssl) {
-        int i;
-        for (i=0; i<n_ssl_keepref; i++) {
-            Py_DECREF(ssl_keepref[i]);
-            ssl_keepref[i] = NULL;
-        }
+    for (int i=0; i<n_ssl_keepref; i++) {
+        Py_DECREF(ssl_keepref[i]);
+        ssl_keepref[i] = NULL;
     }
 
     if (!conn) {