SSL and AD

geert.van.muylem at utimaco.be geert.van.muylem at utimaco.be
Tue Oct 17 19:03:04 CEST 2006


Hi Michael,

Here is the result with openssl. It also "sometimes" work...


gvm at endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile 
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem 
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:






gvm at endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile 
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem 
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
15318:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:
gvm at endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile 
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem 
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1

---
Certificate chain
 0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
   i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU
MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT
A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw
NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD
VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u
YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+
H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY
lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q
l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc
64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM
RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81
P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=
-----END CERTIFICATE-----
subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Acceptable client certificate CA names
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - 
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust 
Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - 
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust 
Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification 
Services Division/CN=Thawte Personal Freemail 
CA/emailAddress=personal-freemail at thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification 
Services Division/CN=Thawte Personal Premium 
CA/emailAddress=personal-premium at thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital 
Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification 
Services Division/CN=Thawte Personal Basic 
CA/emailAddress=personal-basic at thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - 
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust 
Network
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE 
CyberTrust Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft 
Corporation/CN=Microsoft Root Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - 
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust 
Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE 
CyberTrust Root
---
SSL handshake has read 3261 bytes and written 1781 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B
    Session-ID-ctx:
    Master-Key: 
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E108CD12D1364586B2405E
    Key-Arg   : None
    Start Time: 1161103751
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0
gvm at endor:~/Temp/PYSSL> 


Thanks,
Geert





Michael Ströder <michael at stroeder.com>
Sent by: python-ldap-dev-bounces at lists.sourceforge.net
10/17/2006 06:18 PM
 
        To:     geert.van.muylem at utimaco.be
        cc:     python-ldap-dev at lists.sourceforge.net
        Subject:        Re: SSL and AD


geert.van.muylem at utimaco.be wrote:
>
> Strange things are happening: It sometimes works.

Hmm, this kind of error we all like most... ;-)

> I can sometime make an
> ssl connection with client authentication,
> search for some entries,,,

Could you please verify that your connection always works on
command-line without python-ldap?

openssl s_client ...

Ciao, Michael.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job 
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Python-LDAP-dev mailing list
Python-LDAP-dev at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20061017/92613e73/attachment.html>


More information about the python-ldap mailing list