start TLS

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I'm interested in working on TLS support in python-ldap.  I have been
meaning look at this for some time, but only recently I finally downloaded
and worked a bit with openldap 2.0.23.  My understanding of client TLS
support (i.e.  command line tools like ldapsearch, or apps that use
libldap) is the following: 

1) it enforces the requirement that the subject DN in the certificate
contain the FQDN of the hostname you supplied,
2) if the FQDN does not match the cn in the subject DN, it will look in
the subjectAltName extension for a match.  This is helpful for load
balancers scenarios where the FQDN would not match the subject DN, 
3) no CA certificate checking is done.

Supposedly steps 1 and 2 are to guard against man-in-the-middle attacks,
but I can't find any reference anywhere for how to configure a client with
a local store of 'trusted root CA certificates'.  This means that a
man-in-the-middle attack is still possible.

Can anyone provide a bit of insight?  Maybe the python-ldap module could
be made a bit more flexible than client apps like ldapsearch in this
regard, say by giving the developer the option of providing certificate
verification callbacks, etc. 

Thanks,

Dave