Debugging SSL connections
Michael Ströder
michael at stroeder.com
Wed Jun 21 01:46:33 CEST 2006
Mike Orr wrote:
> On 6/20/06, Michael Ströder <michael at stroeder.com> wrote:
>
>> If you're using self-signed server certificates I can only comment that
>> you SHOULD NOT do this.
>
> I have no control over the server. And some organizations with tight
> budgets balk at paying $100 per year per domain to a company like
> Thawte that essentially does nothing.
Hint: You can run your own CA. Or there's also cacert.org.
>> > ldap_bind: Can't contact LDAP server (-1)
>> > additional info: error:14090086:SSL
>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> >
>> > Is there an option for "just accept the certificate anyway"?
>>
>> Nope. That's by design of the OpenLDAP API.
>>
>> You can define the server certificate as CA certificate though. But
>> again, this undermines security measures of SSL/TLS.
>>
>> > Is there
>> > a list of LDAP options anywhere?
>>
>> Why didn't you follow the advice in the e-mail you cited above:
>>
>> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..)
>
> Because I don't have a certificate file to point it to.
As I wrote above you can point to the server certificate file.
> I'm checking with the LDAP admins to see if they'll give us the
> certificate file. If not, I don't know what else to do.
Simply grab it with openssl s_client.
Ciao, Michael.
More information about the python-ldap
mailing list