Menu
▾
▴
Re: Debugging SSL connections
|
From: <mi...@st...> - 2006-06-20 23:05:57
|
Mike Orr wrote: > > I couldn't find anything about SSL in the > python-ldap or openldap documentation, but a Google search found this > letter from 2003: > http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1 > [..] > But I don't have a certificate to authenticate against. Mozilla > Thunderbird works fine without it Are you sure that you never imported the appropriate CA certificate into Mozilla cert store? Or do you hit "Accept forever" on each unknown issuer? Bad idea! > "openssl s_client -connect > target:636" ends with: > "Verify return code: 19 (self signed certificate in certificate chain)" > > This is not surprising; our organization always uses self-signed > certificates. You have to install the CA certificate which issued the SSL server certificate available as trusted root certificate into each software using it. If you're using self-signed server certificates I can only comment that you SHOULD NOT do this. > ldap_bind: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Is there an option for "just accept the certificate anyway"? Nope. That's by design of the OpenLDAP API. You can define the server certificate as CA certificate though. But again, this undermines security measures of SSL/TLS. > Is there > a list of LDAP options anywhere? Why didn't you follow the advice in the e-mail you cited above: ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..) > Is there a HOWTO anywhere for using python-ldap with SSL? See demo script Demo/initialize.py in python-ldap's source distribution. Ciao, Michael. |
