<div dir="ltr"><div dir="ltr">To recap what happened off camera, you had me try out using raw sockets to connect to the ssl ldap port 636, like so:<div><br></div><div><span style="font-family:arial,sans-serif;font-size:16px">import socket</span><br style="font-family:arial,sans-serif;font-size:16px">
<span style="font-family:arial,sans-serif;font-size:16px">import ssl</span><br style="font-family:arial,sans-serif;font-size:16px"><span style="font-family:arial,sans-serif;font-size:16px">HOST = "your_host"</span><br style="font-family:arial,sans-serif;font-size:16px">
<span style="font-family:arial,sans-serif;font-size:16px">PORT = 636</span><br style="font-family:arial,sans-serif;font-size:16px"><span style="font-family:arial,sans-serif;font-size:16px">sock = socket.socket()</span><br style="font-family:arial,sans-serif;font-size:16px">
<span style="font-family:arial,sans-serif;font-size:16px">sock.connect((HOST, PORT))</span><br style="font-family:arial,sans-serif;font-size:16px"><span style="font-family:arial,sans-serif;font-size:16px">sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED,</span><br style="font-family:arial,sans-serif;font-size:16px">
<span style="font-family:arial,sans-serif;font-size:16px">ca_certs="your_ca_certs_file")</span><br></div><div><span style="font-family:arial,sans-serif;font-size:16px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:16px">This works on linux, both python 2.6 and 3.2, but on windows it fails. I tried 3.4.1, and going back with 3.3 and 3.2. With it working on Linux, I could use sock.getpeercert() to return the server certificate information. But this socket test got me thinking and I came across this on stackoverflow: </span><font face="arial, sans-serif"><span style="font-size:16px"><a href="http://stackoverflow.com/questions/19145097/getting-certificate-chain-with-python-3-3-ssl-module" target="_blank">http://stackoverflow.com/questions/19145097/getting-certificate-chain-with-python-3-3-ssl-module</a></span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:16px"><br></span></font></div><div><font face="arial, sans-serif"><span style="font-size:16px">I modified that code slightly to use PROTOCOL_TLSv1 and CERT_REQUIRED. This works on linux as is, but again fails on windows. Reading deeper into the ssl docs, I found SSLContext.load_default_certs() which got me thinking about the differences between Windows and Linux. Windows has a central certificate store. Using this method <a href="http://community.spiceworks.com/how_to/show/1839-installing-self-signed-ca-certificate-in-windows" target="_blank">http://community.spiceworks.com/how_to/show/1839-installing-self-signed-ca-certificate-in-windows</a></span></font><span style="font-family:arial,sans-serif;font-size:16px">, I imported my CA cert into Windows' cert store. I modified the code again to not use SSLContext.load_verify_locations() but instead load_default_certs() and this time it works. </span></div>
<div><div tabindex="0" id=":re"><img src="https://mail.google.com/mail/u/0/images/cleardot.gif"></div></div><div></div><div><br></div><div><br></div></div><div><div class="adm"><div class="h4" id="q_146b17b262ff81c6_1"><div>
</div></div></div><div class="im"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 17, 2014 at 12:15 AM, Python3-ldap <span dir="ltr"><<a href="mailto:python3ldap@gmail.com" target="_blank">python3ldap@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div><div><div style="font-family:Calibri,sans-serif;font-size:11pt">
Hi David, this seem a problem with the python ssl module, it raise an unknown error when trying to verify the ca cert. Are you sure that the certificate ca format is PEM and contains only the public key of your ca chain? Could you send me the certificate ca (it includes only the public key, so it safe to send) so I can try it in my lab to see where the problem is.<br>
<br>Bye,<br>Giovanni<br><br></div></div><div dir="ltr"><hr><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">Da: </span><span style="font-family:Calibri,sans-serif;font-size:11pt"><a href="mailto:tsk133@my.utsa.edu" target="_blank">David Noriega</a></span><br>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">Inviato: </span><span style="font-family:Calibri,sans-serif;font-size:11pt">17/06/2014 00.38</span><br><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">A: </span><span style="font-family:Calibri,sans-serif;font-size:11pt"><a href="mailto:python3ldap@gmail.com" target="_blank">python3ldap</a></span><br>
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold">Oggetto: </span><span style="font-family:Calibri,sans-serif;font-size:11pt">Re: [python3-ldap] TLS issue</span><br><br></div><div><div><div dir="ltr">
Its the same for either cert required or none. I have a secondary ldap server and tried against it, same thing. Even tried to test if there was a difference between 32bit and 64bit, same thing. <div><div>>>> c.open()</div>
<div>>>> c.start_tls()</div><div>Traceback (most recent call last):</div><div> File "<pyshell#24>", line 1, in <module></div><div> c.start_tls()</div><div> File "C:\Python34\lib\site-packages\ldap3\core\connection.py", line 584, in start_tls</div>
<div> if self.server.tls.start_tls(self):</div><div> File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 121, in start_tls</div><div> return self._start_tls(connection)</div><div> File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 124, in _start_tls</div>
<div> connection.socket = self.wrap_socket(connection, True)</div><div> File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 89, in wrap_socket</div><div> wrapped_socket = ssl.wrap_socket(connection.socket, keyfile=self.private_key_file, certfile=self.certificate_file, server_side=False, cert_reqs=self.validate, ssl_version=self.version, ca_certs=self.ca_certs_file, do_handshake_on_connect=do_handshake)</div>
<div> File "C:\Python34\lib\ssl.py", line 888, in wrap_socket</div><div> ciphers=ciphers)</div><div> File "C:\Python34\lib\ssl.py", line 511, in __init__</div><div> self._context.load_verify_locations(ca_certs)</div>
<div>ssl.SSLError: unknown error (_ssl.c:2734)</div><div><br></div></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jun 15, 2014 at 10:34 AM, python3ldap <span dir="ltr"><<a href="mailto:python3ldap@gmail.com" target="_blank">python3ldap@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">Hi David,<br>this seem a ssl problem. Can you try the following with a good ca and<br>
then with a WRONG ca cert file?<br><br>import ssl<br>from ladp3 import Server, Connection, Tls<br>t = Tls(ca_cert_file='your_ca_file', validate=ssl.CERT_REQUIRED)<br>s = Server('your_server', tls = t)<br>c = Connection(s, user='your_user', password='your_password')<br>
c.open()<br>c.start_tls()<br>c.bind()<br>c.close()<br><br>Then you should do the same with validate set to ssl.CERT_NONE.<br><br>Can you send me back the result of each statement?<br><br>Bye,<br>Giovanni<br><br><br>2014-06-13 19:45 GMT+02:00 David Noriega <<a href="mailto:tsk133@my.utsa.edu" target="_blank">tsk133@my.utsa.edu</a>>:<br>
<div><div>> Yes, port 389 is correct, this is how we use it. Its explained here:<br>> <a href="http://www.openldap.org/faq/data/cache/185.html" target="_blank">http://www.openldap.org/faq/data/cache/185.html</a><br>
><br>> I've been able to use the older python-ldap on 2.x previously, so I know it<br>> can work.<br>><br>> Here I can get some simple info from ldap:<br>>>>> import ldap3<br>>>>> s = ldap3.Server('X.X.X.X', port=389, get_info=ldap3.GET_ALL_INFO)<br>
>>>> c = ldap3.Connection(s, auto_bind=True)<br>>>>> print(<a href="http://s.info/" target="_blank">s.info</a>)<br>> DSA info (from DSE):<br>><br>> Supported LDAP Versions: 3<br>><br>
> Naming Contexts:<br>> <br>> dc=X,dc=X,dc=X<br>><br>> Supported Controls:<br>><br>> 1.3.6.1.4.1.4203.1.9.1.1 - LDAP content synchronization - Control -<br>> RFC4533<br>><br>> 2.16.840.1.113730.3.4.18 - Proxy Authorization Control - Control -<br>
> RFC6171<br>><br>> 2.16.840.1.113730.3.4.2 - ManageDsaIT - Control - RFC3296<br>><br>> 1.3.6.1.4.1.4203.1.10.1 - Subentries - Control - RFC3672<br>><br>> 1.2.840.113556.1.4.319 - LDAP Simple Paged Results - Control - RFC2696<br>
> <br>> 1.2.826.0.1.3344810.2.3 - Matched Values - Control - RFC3876<br>><br>> 1.3.6.1.1.13.2 - LDAP Post-read - Control - RFC4527<br>><br>> 1.3.6.1.1.13.1 - LDAP Pre-read - Control - RFC4527<br>
> <br>> 1.3.6.1.1.12 - Assertion - Control - RFC4528<br>><br>> Supported Extensions:<br>><br>> 1.3.6.1.4.1.1466.20037 - StartTLS - Extension - RFC4511-RFC4513<br>><br>> 1.3.6.1.4.1.4203.1.11.1 - Modify Password - Extension - RFC3062<br>
> <br>> 1.3.6.1.4.1.4203.1.11.3 - Who am I - Extension - RFC4532<br>><br>> 1.3.6.1.1.8 - Cancel Operation - Extension - RFC3909<br>><br>> Supported Features:<br>><br>> 1.3.6.1.1.14 - Modify-Increment - Feature - RFC4525<br>
> <br>> 1.3.6.1.4.1.4203.1.5.1 - All Op Attrs - Feature - RFC3673<br>><br>> 1.3.6.1.4.1.4203.1.5.2 - OC AD Lists - Feature - RFC4529<br>><br>> 1.3.6.1.4.1.4203.1.5.3 - True/False filters - Feature - RFC4526<br>
> <br>> 1.3.6.1.4.1.4203.1.5.4 - Language Tag Options - Feature - RFC3866<br>><br>> 1.3.6.1.4.1.4203.1.5.5 - language Range Options - Feature - RFC3866<br>><br>> Supported SASL Mechanisms:<br>><br>
> CRAM-MD5, GSSAPI, DIGEST-MD5<br>><br>> Schema Entry:<br>><br>> cn=Subschema<br>><br>> Other:<br>><br>> objectClass:<br>><br>> top<br>><br>> OpenLDAProotDSE<br>><br>
> monitorContext:<br>><br>> cn=Monitor<br>><br>> configContext:<br>><br>> cn=config<br>><br>> structuralObjectClass:<br>><br>> OpenLDAProotDSE<br>><br>> entryDN:<br>
> <br>> If I try to bind via AUTH_SIMPLE, the server responds as expected with<br>> confidentiality required message. I then try again by setting up a Tls<br>> object and I've tried with all CERT_ options but get the same error. This CA<br>
> cert file is good because its currently used by all my systems for ldap<br>> authentication.<br>><br>><br>></div></div></blockquote></div></div></div></div></div></blockquote></div></div></div></div></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 12, 2014 at 5:24 PM, python3ldap <span dir="ltr"><<a href="mailto:python3ldap@gmail.com" target="_blank">python3ldap@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><font><span style="background-color:rgba(255,255,255,0)">Hi David,<br>are you sure that you must connect to the 389 port? Usually tls is on<br>
636 port. If 389 is right probably the ca file is wrong. In that case<br>i need some more info. You should try to connect without CA and<br>
without verifying the certificate chain.<br><br>Let me know.</span></font></div><div><font><span>Bye,</span></font></div><div><font><span>Giovanni</span></font></div><div><font><span><br></span></font><br>Il giovedì 12 giugno 2014, David Noriega <<a href="mailto:tsk133@my.utsa.edu" target="_blank">tsk133@my.utsa.edu</a>> ha scritto:<div>
<div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr">On Windows 7 with Python 3.4.1 and python3-ldap 0.9.3.3<div>
<br></div><div>I'm trying to create a TLS connection to an ldap server over port 389 and I provide the CA cert file(in pem format) but I get the following:</div>
<div><br></div><div><div>Traceback (most recent call last):</div><div> File "C:\Python34\lib\site-packages\ldap3\strategy\baseStrategy.py", line 134,</div><div> in _open_socket</div><div> self.connection.socket = self.connection.server.tls.wrap_socket(self.connect</div>
<div>ion, do_handshake=True)</div><div> File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 89, in wrap_socke</div><div>t</div><div> wrapped_socket = ssl.wrap_socket(connection.socket, keyfile=self.private_key</div>
<div>_file, certfile=self.certificate_file, server_side=False, cert_reqs=self.validat</div><div>e, ssl_version=self.version, ca_certs=self.ca_certs_file, do_handshake_on_connec</div><div>t=do_handshake)</div><div> File "C:\Python34\lib\ssl.py", line 888, in wrap_socket</div>
<div> ciphers=ciphers)</div><div> File "C:\Python34\lib\ssl.py", line 511, in __init__</div><div> self._context.load_verify_locations(ca_certs)</div><div>ssl.SSLError: unknown error (_ssl.c:2734)</div><div>
<br></div><div>During handling of the above exception, another exception occurred:</div><div><br></div><div>Traceback (most recent call last):</div><div> File "<stdin>", line 1, in <module></div><div>
File "C:\Python34\lib\site-packages\ldap3\core\connection.py", line 174, in __</div><div>init__</div><div> self.open()</div><div> File "C:\Python34\lib\site-packages\ldap3\strategy\syncWait.py", line 49, in o</div>
<div>pen</div><div> BaseStrategy.open(self, reset_usage)</div><div> File "C:\Python34\lib\site-packages\ldap3\strategy\baseStrategy.py", line 88,</div><div>in open</div><div> self._open_socket(self.connection.server.ssl)</div>
<div> File "C:\Python34\lib\site-packages\ldap3\strategy\baseStrategy.py", line 139,</div><div> in _open_socket</div><div> raise communication_exception_factory(LDAPSocketOpenError, e)(self.connectio</div><div>
n.last_error)</div><div>ldap3.core.exceptions.LDAPSocketOpenError: ('socket ssl wrapping error: unknown</div><div>error (_ssl.c:2734)',)</div></div></div>
</blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br>-- <br><div dir="ltr">Have fun,<div>gc</div></div><br>
</font></span></blockquote></div><br></div>