Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[feat] Update SSL option to connect securely by default#1418

Merged
rolandwalker merged 9 commits intodbcli:mainfrom
scottnemes:feat/760/enable-ssl-by-default
Jan 2, 2026
Merged

[feat] Update SSL option to connect securely by default#1418
rolandwalker merged 9 commits intodbcli:mainfrom
scottnemes:feat/760/enable-ssl-by-default

Conversation

@scottnemes
Copy link
Contributor

@scottnemes scottnemes commented Dec 24, 2025

Description

What:
Currently mycli does not connect via SSL by default, while the official MySQL client does.

Why:
Connecting via SSL by default is more secure.

Resolves #760

Checklist

  • I've added this contribution to the changelog.md.
  • I've added my name to the AUTHORS file (or it's already there).
  • I ran uv run ruff check && uv run ruff format && uv run mypy --install-types . to lint and format the code.

@rolandwalker
Copy link
Contributor

rolandwalker commented Dec 29, 2025

While I favor this, there is a lot to consider.

The vendor client does not simply use SSL/TLS by default, but tries encrypted transport first, then retries without encryption on failure (https://dev.mysql.com/doc/refman/9.0/en/encrypted-connections.html). That's probably the minimum we need to do, to avoid a flood of incoming issues.

To help the user out, and to do better than the vendor client, we could also have a config-file option for encrypted transport with three states: on/off/auto, with the default of "auto".

_connect() already uses a try/except formulation to work out whether a password prompt is needed:

  • mycli/mycli/main.py

    Line 508 in 3683b9f

    def _connect() -> None:

    so it might get complicated to also do the same thing for encrypted transport.

@scottnemes
Copy link
Contributor Author

scottnemes commented Dec 29, 2025

While I favor this, there is a lot to consider.

The vendor client does not simply use SSL/TLS by default, but tries encrypted transport first, then retries without encryption on failure (https://dev.mysql.com/doc/refman/9.0/en/encrypted-connections.html). That's probably the minimum we need to do, to avoid a flood of incoming issues.

To help the user out, and to do better than the vendor client, we could also have a config-file option for encrypted transport with three states: on/off/auto, with the default of "auto".

_connect() already uses a try/except formulation to work out whether a password prompt is needed:

  • mycli/mycli/main.py

    Line 508 in 3683b9f

    def _connect() -> None:

    so it might get complicated to also do the same thing for encrypted transport.

Good callout. I actually thought it would downgrade automatically as long as the server wasn't requiring SSL, so definitely did not expect that; I will rework that bit.

RE: the config, I did think about adding a config file option but thought it might be scope creep. But if you also think it's a good idea I will work on that bit as well!

@rolandwalker
Copy link
Contributor

rolandwalker commented Dec 29, 2025

I actually thought it would downgrade automatically as long as the server wasn't requiring SSL

Ah, well I haven't check pymysql docs/internals before writing that — maybe the library does!

@scottnemes
Copy link
Contributor Author

scottnemes commented Dec 29, 2025

I actually thought it would downgrade automatically as long as the server wasn't requiring SSL

Ah, well I haven't check pymysql docs/internals before writing that — maybe the library does!

It doesn't apparently; that's why I was surprised anyway, hah! So it will need a decent amount of work to add in the config and retry logic. Will take a look though.

@scottnemes scottnemes marked this pull request as draft December 30, 2025 23:15
@scottnemes scottnemes marked this pull request as ready for review January 2, 2026 02:39
rolandwalker
rolandwalker reviewed Jan 2, 2026
View reviewed changes
mycli/main.py Outdated

if ssl_enable is not None:
click.secho(
"Warning: The --ssl/--no-ssl CLI options will be deprecated in a future release. "
Copy link
Contributor

@rolandwalker rolandwalker Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we say "are deprecated and will be removed in a future release"?

rolandwalker
rolandwalker reviewed Jan 2, 2026
View reviewed changes
mycli/myclirc Outdated
# Define one or more SQL statements per alias (semicolon-separated).
# example_dsn = "SET sql_select_limit=1000; SET time_zone='+00:00'"

[ssl]
Copy link
Contributor

@rolandwalker rolandwalker Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are other SSL/TLS settings expected in the [ssl] section? If not, should this be part of [main]? (If so, a new section makes sense.)

@scottnemes
Moved the new ssl_mode config option to the main section. Updated ssl…
7a698ec 
…/no-ssl deprecation warning. Updated changelog to match.
@rolandwalker rolandwalker merged commit f10fb76 into dbcli:main Jan 2, 2026
8 checks passed
@scottnemes scottnemes deleted the feat/760/enable-ssl-by-default branch January 2, 2026 23:44
@rolandwalker rolandwalker mentioned this pull request Feb 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rolandwalker rolandwalker rolandwalker left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Access denied for user

2 participants

@scottnemes @rolandwalker