How to verify server certificate
Michael Ströder
michael at stroeder.com
Tue Aug 4 18:25:11 CEST 2009
Fredrik Melander wrote:
> Michael Ströder schrieb:
>> Fredrik Melander wrote:
>>> Short question: when negotiating TLS with the LDAP server with
>>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>>> verify the server certificate? If so, how?
>> The OpenLDAP libs are doing that for you (with the help of an underlying lib
>> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
>> versions of OpenLDAP libs.
>>
>> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
>> script Demo/initialize.py:
>>
>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
>
> Thanks for the very fast reply!
>
> I've been playing around with a certificate that should be broken
> without having my script complain the least.
Why should it be broken?
> I would have expected
> python-ldap to throw an exception or similar but for the time being it
> seems to be pretending that everything's alright.
If the cert or hostname validation fails ldap.SERVER_DOWN is raised.
> Here's my connect-method in the class that's using ldap:
>
> def get_connection(self, connection_string):
> "Connect to ldap and return the handle"
>
> conn = ldap.initialize(connection_string)
> conn.protocol_version = ldap.VERSION3
> conn.set_option(ldap.OPT_REFERRALS, 0)
> conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem")
> conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
>
> conn.start_tls_s()
> conn.simple_bind_s(self.ldap_user, self.ldap_password)
> return conn
>
> What is it that I'm misunderstanding here?
Well, there's a reason why in Demo/initialize.py the TLS-related options are
set globally. Only in recent versions of OpenLDAP you can set these options
per connection.
And libldap might also use TLS-related configuration in a .ldaprc or
/etc/ldap.conf if available.
Ciao, Michael.
More information about the python-ldap
mailing list