Re: How to verify server certificate

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi again,

> Why should it be broken?

It's deliberately broken to test the program, and thanks to your reply
I've been able to catch this exception:

CONNECT_ERROR: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': 'Connect error'}

What I've so far *not* been able to provoke is an error because of an
expired certificate. Is there some way to do this?

> If the cert or hostname validation fails ldap.SERVER_DOWN is raised.

ehm.. I caught a CONNECT_ERROR (see above)... ?

> Well, there's a reason why in Demo/initialize.py the TLS-related
options are
> set globally. Only in recent versions of OpenLDAP you can set these
options
> per connection.

Thanks, didn't know this. The thing is that I want to verify some
certificates and accept others no matter what, but I've been (what seems
to be) successfully to toggle this with ldap.OPT_X_TLS_NEVER and
ldap.OPT_X_TLS_DEMAND respectively.