Expired server certificate

Michael Ströder michael at stroeder.com
Tue Aug 11 13:05:00 CEST 2009


Fredrik Melander wrote:
> I've given my LDAP server an expired cert for testing, but when calling
> start_tls_s() the script just proceeds as were nothing wrong.

Hmm, there's nothing you can do at the python-ldap level. AFAIK cert
validation is completely done within the OpenSSL libs, except the host name
checking.

Could you please test with OpenLDAP's command-line tool ldapsearch. This is
important: Please use the tool which uses the very same libldap also used for
python-ldap.

If ldapsearch fails this would be something to raise on the openldap-software
mailing list together with information about your build of libldap and the
SSL/TLS libs used. Note that libldap could be build with GnuTLS or today even
with Mozilla's libnss.

Ciao, Michael.



More information about the python-ldap mailing list