Re: Expired server certificate

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Fredrik Melander wrote:
> I've given my LDAP server an expired cert for testing, but when calling
> start_tls_s() the script just proceeds as were nothing wrong.

Hmm, there's nothing you can do at the python-ldap level. AFAIK cert
validation is completely done within the OpenSSL libs, except the host name
checking.

Could you please test with OpenLDAP's command-line tool ldapsearch. This is
important: Please use the tool which uses the very same libldap also used for
python-ldap.

If ldapsearch fails this would be something to raise on the openldap-software
mailing list together with information about your build of libldap and the
SSL/TLS libs used. Note that libldap could be build with GnuTLS or today even
with Mozilla's libnss.

Ciao, Michael.