How to verify server certificate

Fredrik Melander melander at
Wed Aug 5 15:43:55 CEST 2009

Hi again,

> Why should it be broken?

It's deliberately broken to test the program, and thanks to your reply
I've been able to catch this exception:

CONNECT_ERROR: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': 'Connect error'}

What I've so far *not* been able to provoke is an error because of an
expired certificate. Is there some way to do this?

> If the cert or hostname validation fails ldap.SERVER_DOWN is raised.

ehm.. I caught a CONNECT_ERROR (see above)... ?

> Well, there's a reason why in Demo/ the TLS-related
options are
> set globally. Only in recent versions of OpenLDAP you can set these
> per connection.

Thanks, didn't know this. The thing is that I want to verify some
certificates and accept others no matter what, but I've been (what seems
to be) successfully to toggle this with ldap.OPT_X_TLS_NEVER and
ldap.OPT_X_TLS_DEMAND respectively.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the python-ldap mailing list