Debugging SSL connections

Michael Ströder michael at
Wed Jun 21 01:46:33 CEST 2006

Mike Orr wrote:
> On 6/20/06, Michael Ströder <michael at> wrote:
>> If you're using self-signed server certificates I can only comment that
>> you SHOULD NOT do this.
> I have no control over the server.  And some organizations with tight
> budgets balk at paying $100 per year per domain to a company like
> Thawte that essentially does nothing.

Hint: You can run your own CA. Or there's also

>> > ldap_bind: Can't contact LDAP server (-1)
>> >         additional info: error:14090086:SSL
>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> >
>> > Is there an option for "just accept the certificate anyway"?
>> Nope. That's by design of the OpenLDAP API.
>> You can define the server certificate as CA certificate though. But
>> again, this undermines security measures of SSL/TLS.
>> >  Is there
>> > a list of LDAP options anywhere?
>> Why didn't you follow the advice in the e-mail you cited above:
>> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..)
> Because I don't have a certificate file to point it to.

As I wrote above you can point to the server certificate file.

> I'm checking with the LDAP admins to see if they'll give us the
> certificate file.  If not, I don't know what else to do.

Simply grab it with openssl s_client.

Ciao, Michael.

More information about the python-ldap mailing list