From 55b510b417338fb99d520d69ff762b4444290691 Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Wed, 23 Oct 2024 21:08:28 +0900
Subject: [PATCH 1/6] windows: use DEFAULT_SSL_VERIFY_SERVER_CERT=0 option

---
 .github/workflows/windows.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
index e884493..3824b21 100644
--- a/.github/workflows/windows.yaml
+++ b/.github/workflows/windows.yaml
@@ -34,7 +34,10 @@ jobs:
         run: |
           mkdir build
           cd build
-          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static
+          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static \
+            -DCLIENT_PLUGIN_SHA256_PASSWORD=static \
+            -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static \
+            -DDEFAULT_SSL_VERIFY_SERVER_CERT=0
           cmake --build . -j 8 --config Release
           cmake -DCMAKE_INSTALL_PREFIX=c:/mariadb-connector -DCMAKE_INSTALL_COMPONENT=Development -DCMAKE_BUILD_TYPE=Release -P cmake_install.cmake
 

From f6088055bae8452fa0d4f37c12638ed4800dc04a Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Wed, 23 Oct 2024 21:09:18 +0900
Subject: [PATCH 2/6] update cache key

---
 .github/workflows/windows.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
index 3824b21..231d213 100644
--- a/.github/workflows/windows.yaml
+++ b/.github/workflows/windows.yaml
@@ -17,7 +17,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: c:/mariadb-connector
-          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win
+          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win-1
 
       - name: Download and Unzip Connector
         if: steps.cache-connector.outputs.cache-hit != 'true'

From 611adf160cc5bdc5616a90ea5127479539613f0a Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Wed, 23 Oct 2024 21:48:16 +0900
Subject: [PATCH 3/6] fixup

---
 .github/workflows/windows.yaml | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
index 231d213..f8dbf87 100644
--- a/.github/workflows/windows.yaml
+++ b/.github/workflows/windows.yaml
@@ -17,7 +17,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: c:/mariadb-connector
-          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win-1
+          key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win-2
 
       - name: Download and Unzip Connector
         if: steps.cache-connector.outputs.cache-hit != 'true'
@@ -27,18 +27,32 @@ jobs:
           unzip "mariadb-connector-c-${CONNECTOR_VERSION}-src.zip" -d c:/
           mv "c:/mariadb-connector-c-${CONNECTOR_VERSION}-src" c:/mariadb-connector-src
 
-      - name: Build Connector
+      - name: make build directory
         if: steps.cache-connector.outputs.cache-hit != 'true'
         shell: cmd
         working-directory: c:/mariadb-connector-src
         run: |
           mkdir build
-          cd build
-          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static \
-            -DCLIENT_PLUGIN_SHA256_PASSWORD=static \
-            -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static \
-            -DDEFAULT_SSL_VERIFY_SERVER_CERT=0
+
+      - name: cmake
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
+          cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static -DDEFAULT_SSL_VERIFY_SERVER_CERT=0
+
+      - name: cmake build
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
           cmake --build . -j 8 --config Release
+
+      - name: cmake install
+        if: steps.cache-connector.outputs.cache-hit != 'true'
+        shell: cmd
+        working-directory: c:/mariadb-connector-src/build
+        run: |
           cmake -DCMAKE_INSTALL_PREFIX=c:/mariadb-connector -DCMAKE_INSTALL_COMPONENT=Development -DCMAKE_BUILD_TYPE=Release -P cmake_install.cmake
 
       - name: Checkout mysqlclient

From 9028b459d30e5799bcabf62ea9241fbfc948abfd Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Wed, 6 Nov 2024 18:14:01 +0900
Subject: [PATCH 4/6] ssl_mode="REQUIRED" disables verification of the server
 certificate by default.

mariadb connector/c changed the default value of MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
this change makes it can be disabled by ssl_mode="DISABLED", "PREFERRED", and "REQUIRED".
---
 src/MySQLdb/_mysql.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c
index b9ec1c1..fbe4615 100644
--- a/src/MySQLdb/_mysql.c
+++ b/src/MySQLdb/_mysql.c
@@ -558,6 +558,13 @@ _mysql_ConnectionObject_Initialize(
         if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
             mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls);
         }
+        else {
+            // mariadb-connector-c changed the default value of MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
+            // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57
+            // for users don't want to verify the server certificate, we provide an option to disable it.
+            my_bool my_false = 0;
+            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
+        }
 #endif
     }
 

From 1b7cbeda9891d7fe9cb3db2a39dd9ff037c9947d Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Tue, 12 Nov 2024 17:51:25 +0900
Subject: [PATCH 5/6] simplify

---
 src/MySQLdb/_mysql.c | 48 ++++++++++++++++++++------------------------
 1 file changed, 22 insertions(+), 26 deletions(-)

diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c
index fbe4615..9cd95b1 100644
--- a/src/MySQLdb/_mysql.c
+++ b/src/MySQLdb/_mysql.c
@@ -543,29 +543,28 @@ _mysql_ConnectionObject_Initialize(
         mysql_options(&(self->connection), MYSQL_OPT_SSL_CIPHER, cipher);
     }
 
-    if (ssl_mode_set) {
 #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE
+    if (ssl_mode_set) {
         mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num);
+    }
 #else
-        // MariaDB doesn't support MYSQL_OPT_SSL_MODE.
-        // See https://github.com/PyMySQL/mysqlclient/issues/474
-        // TODO: Does MariaDB supports PREFERRED and VERIFY_CA?
-        // We support only two levels for now.
-        my_bool enforce_tls = 1;
-        if (ssl_mode_num >= SSLMODE_REQUIRED) {
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls);
-        }
-        if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls);
-        }
-        else {
-            // mariadb-connector-c changed the default value of MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
-            // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57
-            // for users don't want to verify the server certificate, we provide an option to disable it.
-            my_bool my_false = 0;
-            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
-        }
-#endif
+    // MariaDB doesn't support MYSQL_OPT_SSL_MODE.
+    // See https://github.com/PyMySQL/mysqlclient/issues/474
+    // And MariDB 11.4 changed the default value of MYSQL_OPT_SSL_ENFORCE and
+    // MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
+    // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57
+    // We emulate the ssl_mode and old behavior.
+    my_bool my_true = 1;
+    my_bool my_false = 0;
+    if (ssl_mode_num >= SSLMODE_REQUIRED) {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_true);
+    } else {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_false);
+    }
+    if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_true);
+    } else {
+        mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
     }
 
     if (charset) {
@@ -580,12 +579,9 @@ _mysql_ConnectionObject_Initialize(
                   port, unix_socket, client_flag);
     Py_END_ALLOW_THREADS
 
-    if (ssl) {
-        int i;
-        for (i=0; i<n_ssl_keepref; i++) {
-            Py_DECREF(ssl_keepref[i]);
-            ssl_keepref[i] = NULL;
-        }
+    for (int i=0; i<n_ssl_keepref; i++) {
+        Py_DECREF(ssl_keepref[i]);
+        ssl_keepref[i] = NULL;
     }
 
     if (!conn) {

From dd37267fe141432555ea866ef2d4b97fc3ed7227 Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Tue, 12 Nov 2024 17:58:11 +0900
Subject: [PATCH 6/6] fixup

---
 src/MySQLdb/_mysql.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c
index 9cd95b1..1468f3e 100644
--- a/src/MySQLdb/_mysql.c
+++ b/src/MySQLdb/_mysql.c
@@ -566,6 +566,7 @@ _mysql_ConnectionObject_Initialize(
     } else {
         mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
     }
+#endif
 
     if (charset) {
         mysql_options(&(self->connection), MYSQL_SET_CHARSET_NAME, charset);