Debugging SSL connections

Mike Orr sluggoster at gmail.com
Wed Jun 21 01:38:36 CEST 2006 

On 6/20/06, Michael Ströder <michael at stroeder.com> wrote:
> Mike Orr wrote:
> >
> > I couldn't find anything about SSL in the
> > python-ldap or openldap documentation, but a Google search found this
> > letter from 2003:
> > http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1
> > [..]
> > But I don't have a certificate to authenticate against.  Mozilla
> > Thunderbird works fine without it
>
> Are you sure that you never imported the appropriate CA certificate into
> Mozilla cert store? Or do you hit "Accept forever" on each unknown
> issuer? Bad idea!

Oh that's right, Mozilla did pop up an "Unknown certificate" dialog.

> >   "openssl s_client -connect
> > target:636" ends with:
> > "Verify return code: 19 (self signed certificate in certificate chain)"
> >
> > This is not surprising; our organization always uses self-signed
> > certificates.
>
> You have to install the CA certificate which issued the SSL server
> certificate available as trusted root certificate into each software
> using it.
>
> If you're using self-signed server certificates I can only comment that
> you SHOULD NOT do this.

I have no control over the server.  And some organizations with tight
budgets balk at paying $100 per year per domain to a company like
Thawte that essentially does nothing.

> > ldap_bind: Can't contact LDAP server (-1)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > Is there an option for "just accept the certificate anyway"?
>
> Nope. That's by design of the OpenLDAP API.
>
> You can define the server certificate as CA certificate though. But
> again, this undermines security measures of SSL/TLS.
>
> >  Is there
> > a list of LDAP options anywhere?
>
> Why didn't you follow the advice in the e-mail you cited above:
>
> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..)

Because I don't have a certificate file to point it to.

I'm checking with the LDAP admins to see if they'll give us the
certificate file.  If not, I don't know what else to do.

-- 
Mike Orr <sluggoster at gmail.com>

More information about the python-ldap mailing list