Debugging SSL connections

Michael Ströder michael at stroeder.com
Wed Jun 21 01:05:26 CEST 2006


Mike Orr wrote:
> 
> I couldn't find anything about SSL in the
> python-ldap or openldap documentation, but a Google search found this
> letter from 2003:
> http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1
> [..]
> But I don't have a certificate to authenticate against.  Mozilla
> Thunderbird works fine without it

Are you sure that you never imported the appropriate CA certificate into
Mozilla cert store? Or do you hit "Accept forever" on each unknown
issuer? Bad idea!

>   "openssl s_client -connect
> target:636" ends with:
> "Verify return code: 19 (self signed certificate in certificate chain)"
> 
> This is not surprising; our organization always uses self-signed
> certificates.

You have to install the CA certificate which issued the SSL server
certificate available as trusted root certificate into each software
using it.

If you're using self-signed server certificates I can only comment that
you SHOULD NOT do this.

> ldap_bind: Can't contact LDAP server (-1)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> Is there an option for "just accept the certificate anyway"?

Nope. That's by design of the OpenLDAP API.

You can define the server certificate as CA certificate though. But
again, this undermines security measures of SSL/TLS.

>  Is there
> a list of LDAP options anywhere?

Why didn't you follow the advice in the e-mail you cited above:

ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..)

> Is there a HOWTO anywhere for using python-ldap with SSL?

See demo script Demo/initialize.py in python-ldap's source distribution.

Ciao, Michael.





More information about the python-ldap mailing list