Thread: How to verify server certificate

Brought to you by: leonard, pviktori, stroeder

This project can now be found here.

python-ldap-dev

How to verify server certificate

From: Fredrik M. <mel...@df...> - 2009-08-04 14:46:32

Attachments: smime.p7s

Hi, list!
Short question: when negotiating TLS with the LDAP server with
start_tls_s(), can I use python-ldap to follow the certificate chain and
  verify the server certificate? If so, how?

Best regards,
Fredrik

Re: How to verify server certificate

From: Michael S. <mi...@st...> - 2009-08-04 14:51:10

Fredrik Melander wrote:
> Short question: when negotiating TLS with the LDAP server with
> start_tls_s(), can I use python-ldap to follow the certificate chain and
>   verify the server certificate? If so, how?

The OpenLDAP libs are doing that for you (with the help of an underlying lib
like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
versions of OpenLDAP libs.

For the most common case with OpenLDAP C libs linked to OpenSSL libs see
script Demo/initialize.py:

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')

Ciao, Michael.

Re: How to verify server certificate

From: Fredrik M. <mel...@df...> - 2009-08-04 16:21:12

Attachments: smime.p7s

Michael Ströder schrieb:
> Fredrik Melander wrote:
>> Short question: when negotiating TLS with the LDAP server with
>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>>   verify the server certificate? If so, how?
> 
> The OpenLDAP libs are doing that for you (with the help of an underlying lib
> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
> versions of OpenLDAP libs.
> 
> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
> script Demo/initialize.py:
> 
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
> 
> Ciao, Michael.
> 


Hi, Michael
Thanks for the very fast reply!

I've been playing around with a certificate that should be broken
without having my script complain the least. I would have expected
python-ldap to throw an exception or similar but for the time being it
seems to be pretending that everything's alright.

Here's my connect-method in the class that's using ldap:


def get_connection(self, connection_string):
	"Connect to ldap and return the handle"
	
	conn = ldap.initialize(connection_string)
	conn.protocol_version = ldap.VERSION3
	conn.set_option(ldap.OPT_REFERRALS, 0)
	conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem")
	conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)

	conn.start_tls_s()
	conn.simple_bind_s(self.ldap_user, self.ldap_password)
	return conn

What is it that I'm misunderstanding here?

Best regards,
Fredrik

Re: How to verify server certificate

From: Michael S. <mi...@st...> - 2009-08-04 16:25:31

Fredrik Melander wrote:
> Michael Ströder schrieb:
>> Fredrik Melander wrote:
>>> Short question: when negotiating TLS with the LDAP server with
>>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>>>   verify the server certificate? If so, how?
>> The OpenLDAP libs are doing that for you (with the help of an underlying lib
>> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
>> versions of OpenLDAP libs.
>>
>> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
>> script Demo/initialize.py:
>>
>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
> 
> Thanks for the very fast reply!
> 
> I've been playing around with a certificate that should be broken
> without having my script complain the least.

Why should it be broken?

> I would have expected
> python-ldap to throw an exception or similar but for the time being it
> seems to be pretending that everything's alright.

If the cert or hostname validation fails ldap.SERVER_DOWN is raised.

> Here's my connect-method in the class that's using ldap:
> 
> def get_connection(self, connection_string):
> 	"Connect to ldap and return the handle"
> 	
> 	conn = ldap.initialize(connection_string)
> 	conn.protocol_version = ldap.VERSION3
> 	conn.set_option(ldap.OPT_REFERRALS, 0)
> 	conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem")
> 	conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
> 
> 	conn.start_tls_s()
> 	conn.simple_bind_s(self.ldap_user, self.ldap_password)
> 	return conn
> 
> What is it that I'm misunderstanding here?

Well, there's a reason why in Demo/initialize.py the TLS-related options are
set globally. Only in recent versions of OpenLDAP you can set these options
per connection.

And libldap might also use TLS-related configuration in a .ldaprc or
/etc/ldap.conf if available.

Ciao, Michael.

Re: How to verify server certificate

From: Fredrik M. <mel...@df...> - 2009-08-05 13:51:22

Attachments: smime.p7s

Hi again,

> Why should it be broken?

It's deliberately broken to test the program, and thanks to your reply
I've been able to catch this exception:

CONNECT_ERROR: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': 'Connect error'}

What I've so far *not* been able to provoke is an error because of an
expired certificate. Is there some way to do this?


> If the cert or hostname validation fails ldap.SERVER_DOWN is raised.

ehm.. I caught a CONNECT_ERROR (see above)... ?


> Well, there's a reason why in Demo/initialize.py the TLS-related
options are
> set globally. Only in recent versions of OpenLDAP you can set these
options
> per connection.

Thanks, didn't know this. The thing is that I want to verify some
certificates and accept others no matter what, but I've been (what seems
to be) successfully to toggle this with ldap.OPT_X_TLS_NEVER and
ldap.OPT_X_TLS_DEMAND respectively.