Debugging SSL connections
sluggoster at gmail.com
Wed Jun 21 01:38:36 CEST 2006
On 6/20/06, Michael Ströder <michael at stroeder.com> wrote:
> Mike Orr wrote:
> > I couldn't find anything about SSL in the
> > python-ldap or openldap documentation, but a Google search found this
> > letter from 2003:
> > http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1
> > [..]
> > But I don't have a certificate to authenticate against. Mozilla
> > Thunderbird works fine without it
> Are you sure that you never imported the appropriate CA certificate into
> Mozilla cert store? Or do you hit "Accept forever" on each unknown
> issuer? Bad idea!
Oh that's right, Mozilla did pop up an "Unknown certificate" dialog.
> > "openssl s_client -connect
> > target:636" ends with:
> > "Verify return code: 19 (self signed certificate in certificate chain)"
> > This is not surprising; our organization always uses self-signed
> > certificates.
> You have to install the CA certificate which issued the SSL server
> certificate available as trusted root certificate into each software
> using it.
> If you're using self-signed server certificates I can only comment that
> you SHOULD NOT do this.
I have no control over the server. And some organizations with tight
budgets balk at paying $100 per year per domain to a company like
Thawte that essentially does nothing.
> > ldap_bind: Can't contact LDAP server (-1)
> > additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > Is there an option for "just accept the certificate anyway"?
> Nope. That's by design of the OpenLDAP API.
> You can define the server certificate as CA certificate though. But
> again, this undermines security measures of SSL/TLS.
> > Is there
> > a list of LDAP options anywhere?
> Why didn't you follow the advice in the e-mail you cited above:
> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..)
Because I don't have a certificate file to point it to.
I'm checking with the LDAP admins to see if they'll give us the
certificate file. If not, I don't know what else to do.
Mike Orr <sluggoster at gmail.com>
More information about the python-ldap