Menu
▾
▴
Re: How to verify server certificate
|
From: Michael S. <mi...@st...> - 2009-08-04 16:25:31
|
Fredrik Melander wrote: > Michael Ströder schrieb: >> Fredrik Melander wrote: >>> Short question: when negotiating TLS with the LDAP server with >>> start_tls_s(), can I use python-ldap to follow the certificate chain and >>> verify the server certificate? If so, how? >> The OpenLDAP libs are doing that for you (with the help of an underlying lib >> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent >> versions of OpenLDAP libs. >> >> For the most common case with OpenLDAP C libs linked to OpenSSL libs see >> script Demo/initialize.py: >> >> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > Thanks for the very fast reply! > > I've been playing around with a certificate that should be broken > without having my script complain the least. Why should it be broken? > I would have expected > python-ldap to throw an exception or similar but for the time being it > seems to be pretending that everything's alright. If the cert or hostname validation fails ldap.SERVER_DOWN is raised. > Here's my connect-method in the class that's using ldap: > > def get_connection(self, connection_string): > "Connect to ldap and return the handle" > > conn = ldap.initialize(connection_string) > conn.protocol_version = ldap.VERSION3 > conn.set_option(ldap.OPT_REFERRALS, 0) > conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem") > conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) > > conn.start_tls_s() > conn.simple_bind_s(self.ldap_user, self.ldap_password) > return conn > > What is it that I'm misunderstanding here? Well, there's a reason why in Demo/initialize.py the TLS-related options are set globally. Only in recent versions of OpenLDAP you can set these options per connection. And libldap might also use TLS-related configuration in a .ldaprc or /etc/ldap.conf if available. Ciao, Michael. |
