How to verify server certificate
Fredrik Melander
melander at dfn-cert.de
Tue Aug 4 18:20:49 CEST 2009
Michael Ströder schrieb:
> Fredrik Melander wrote:
>> Short question: when negotiating TLS with the LDAP server with
>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>> verify the server certificate? If so, how?
>
> The OpenLDAP libs are doing that for you (with the help of an underlying lib
> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
> versions of OpenLDAP libs.
>
> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
> script Demo/initialize.py:
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
>
> Ciao, Michael.
>
Hi, Michael
Thanks for the very fast reply!
I've been playing around with a certificate that should be broken
without having my script complain the least. I would have expected
python-ldap to throw an exception or similar but for the time being it
seems to be pretending that everything's alright.
Here's my connect-method in the class that's using ldap:
def get_connection(self, connection_string):
"Connect to ldap and return the handle"
conn = ldap.initialize(connection_string)
conn.protocol_version = ldap.VERSION3
conn.set_option(ldap.OPT_REFERRALS, 0)
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem")
conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
conn.start_tls_s()
conn.simple_bind_s(self.ldap_user, self.ldap_password)
return conn
What is it that I'm misunderstanding here?
Best regards,
Fredrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20090804/be975e36/attachment.bin>
More information about the python-ldap
mailing list