Connect with TLS

Informix uses dedicated TLS-enabled listener ports (configured server-side in sqlhosts) rather than STARTTLS upgrade. Point port at the TLS listener (typically 9089) when tls is enabled.

Production: bring your own SSL context

import ssl
import informix_db

ctx = ssl.create_default_context(cafile="/path/to/ca.pem")
# Optional: client cert auth
# ctx.load_cert_chain(certfile="/path/to/client.pem", keyfile="/path/to/client.key")

conn = informix_db.connect(
    host="db.example.com",
    port=9089,
    user="informix",
    password="...",
    database="mydb",
    server="informix",
    tls=ctx,
)

Bring-your-own context is the recommended production pattern — you get full control of certificate verification, hostname checking, ciphers, and TLS version pinning.

Dev / self-signed: tls=True

informix_db.connect(host="127.0.0.1", port=9089, ..., tls=True)

tls=True is a convenience for development — it builds a default context with check_hostname=False and verify_mode=CERT_NONE. Do not use this in production.

Server-side configuration

The Informix server needs a TLS listener entry in sqlhosts:

informix_tls    onsoctcp        myhost          9089

Plus a server-side keystore. The IBM Developer Edition Docker image ships with a TLS listener already enabled on 9089 — no configuration needed.

Tip

If your connection hangs at the handshake, you’ve probably pointed at the non-TLS port (9088 instead of 9089). The non-TLS listener will accept the TCP connection but won’t speak TLS, so the handshake stalls.