fix: aiomysql only takes an SSLContext object

2024-11-16 09:26:36 +07:00
parent d7d3dbac59
commit 5f3d62d84a
2 changed files with 49 additions and 7 deletions
--- a/core/config.py
+++ b/core/config.py
@ -186,9 +186,15 @@ class DatabaseConfig:
        )
        
    @property
-    def ssl_ca(self) -> Optional[str]:
+    def ssl_cafile(self) -> Optional[str]:
        return CoreConfig.get_config_field(
-            self.__config, "core", "database", "ssl_ca", default=None
+            self.__config, "core", "database", "ssl_cafile", default=None
+        )
+
+    @property
+    def ssl_capath(self) -> Optional[str]:
+        return CoreConfig.get_config_field(
+            self.__config, "core", "database", "ssl_capath", default=None
        )

    @property
@ -209,6 +215,24 @@ class DatabaseConfig:
            self.__config, "core", "database", "ssl_key_password", default=None
        )

+    @property
+    def ssl_verify_identity(self) -> bool:
+        return CoreConfig.get_config_field(
+            self.__config, "core", "database", "ssl_verify_identity", default=True
+        )
+    
+    @property
+    def ssl_verify_cert(self) -> Optional[bool]:
+        return CoreConfig.get_config_field(
+            self.__config, "core", "database", "ssl_verify_cert", default=None
+        )
+
+    @property
+    def ssl_ciphers(self) -> Optional[str]:
+        return CoreConfig.get_config_field(
+            self.__config, "core", "database", "ssl_ciphers", default=None
+        )
+
    @property
    def sha2_password(self) -> bool:
        return CoreConfig.get_config_field(
--- a/core/data/database.py
+++ b/core/data/database.py
@ -46,19 +46,37 @@ class Data:
            }

            if self.config.database.ssl_enabled:
-                ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+                no_ca = (
+                    self.config.database.ssl_cafile is None
+                    and self.config.database.ssl_capath is None
+                )

-                if self.config.database.ssl_ca:
-                    ssl_context.load_verify_locations(self.config.database.ssl_ca)
+                ctx = ssl.create_default_context(
+                    cafile=self.config.database.ssl_cafile,
+                    capath=self.config.database.ssl_capath,
+                )
+                ctx.check_hostname = self.config.database.ssl_verify_identity
+
+                if self.config.database.ssl_verify_cert is None:
+                    ctx.verify_mode = ssl.CERT_NONE if no_ca else ssl.CERT_REQUIRED
+                else:
+                    ctx.verify_mode = (
+                        ssl.CERT_REQUIRED
+                        if self.config.database.ssl_verify_cert
+                        else ssl.CERT_NONE
+                    )
                
                if self.config.database.ssl_cert:
-                    ssl_context.load_cert_chain(
+                    ctx.load_cert_chain(
                        self.config.database.ssl_cert,
                        self.config.database.ssl_key,
                        self.config.database.ssl_key_password,
                    )
                
-                connect_args["ssl"] = ssl_context
+                if self.config.database.ssl_ciphers:
+                    ctx.set_ciphers(self.config.database.ssl_ciphers)
+
+                connect_args["ssl"] = ctx

            Data.engine = create_async_engine(
                self.__url,