How to verify server certificate
Fredrik Melander
melander at dfn-cert.de
Wed Aug 5 15:43:55 CEST 2009
Hi again,
> Why should it be broken?
It's deliberately broken to test the program, and thanks to your reply
I've been able to catch this exception:
CONNECT_ERROR: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': 'Connect error'}
What I've so far *not* been able to provoke is an error because of an
expired certificate. Is there some way to do this?
> If the cert or hostname validation fails ldap.SERVER_DOWN is raised.
ehm.. I caught a CONNECT_ERROR (see above)... ?
> Well, there's a reason why in Demo/initialize.py the TLS-related
options are
> set globally. Only in recent versions of OpenLDAP you can set these
options
> per connection.
Thanks, didn't know this. The thing is that I want to verify some
certificates and accept others no matter what, but I've been (what seems
to be) successfully to toggle this with ldap.OPT_X_TLS_NEVER and
ldap.OPT_X_TLS_DEMAND respectively.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20090805/67035efc/attachment.bin>
More information about the python-ldap
mailing list