Menu
▾
▴
Re: How to verify server certificate
|
From: Fredrik M. <mel...@df...> - 2009-08-04 16:21:12
|
Michael Ströder schrieb: > Fredrik Melander wrote: >> Short question: when negotiating TLS with the LDAP server with >> start_tls_s(), can I use python-ldap to follow the certificate chain and >> verify the server certificate? If so, how? > > The OpenLDAP libs are doing that for you (with the help of an underlying lib > like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent > versions of OpenLDAP libs. > > For the most common case with OpenLDAP C libs linked to OpenSSL libs see > script Demo/initialize.py: > > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > Ciao, Michael. > Hi, Michael Thanks for the very fast reply! I've been playing around with a certificate that should be broken without having my script complain the least. I would have expected python-ldap to throw an exception or similar but for the time being it seems to be pretending that everything's alright. Here's my connect-method in the class that's using ldap: def get_connection(self, connection_string): "Connect to ldap and return the handle" conn = ldap.initialize(connection_string) conn.protocol_version = ldap.VERSION3 conn.set_option(ldap.OPT_REFERRALS, 0) conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem") conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) conn.start_tls_s() conn.simple_bind_s(self.ldap_user, self.ldap_password) return conn What is it that I'm misunderstanding here? Best regards, Fredrik |
