Menu
▾
▴
Re: Debugging SSL connections
|
From: Mike O. <slu...@gm...> - 2006-06-20 23:38:39
|
On 6/20/06, Michael Str=F6der <mi...@st...> wrote: > Mike Orr wrote: > > > > I couldn't find anything about SSL in the > > python-ldap or openldap documentation, but a Google search found this > > letter from 2003: > > http://marc2.theaimsgroup.com/?l=3Dpython-ldap-dev&m=3D105298124425061&= w=3D1 > > [..] > > But I don't have a certificate to authenticate against. Mozilla > > Thunderbird works fine without it > > Are you sure that you never imported the appropriate CA certificate into > Mozilla cert store? Or do you hit "Accept forever" on each unknown > issuer? Bad idea! Oh that's right, Mozilla did pop up an "Unknown certificate" dialog. > > "openssl s_client -connect > > target:636" ends with: > > "Verify return code: 19 (self signed certificate in certificate chain)" > > > > This is not surprising; our organization always uses self-signed > > certificates. > > You have to install the CA certificate which issued the SSL server > certificate available as trusted root certificate into each software > using it. > > If you're using self-signed server certificates I can only comment that > you SHOULD NOT do this. I have no control over the server. And some organizations with tight budgets balk at paying $100 per year per domain to a company like Thawte that essentially does nothing. > > ldap_bind: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > Is there an option for "just accept the certificate anyway"? > > Nope. That's by design of the OpenLDAP API. > > You can define the server certificate as CA certificate though. But > again, this undermines security measures of SSL/TLS. > > > Is there > > a list of LDAP options anywhere? > > Why didn't you follow the advice in the e-mail you cited above: > > ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..) Because I don't have a certificate file to point it to. I'm checking with the LDAP admins to see if they'll give us the certificate file. If not, I don't know what else to do. --=20 Mike Orr <slu...@gm...> |
