Expired server certificate

Fredrik Melander melander at dfn-cert.de
Wed Aug 19 14:03:47 CEST 2009

> Hmm, there's nothing you can do at the python-ldap level. AFAIK cert
> validation is completely done within the OpenSSL libs, except the host name
> checking.
> Could you please test with OpenLDAP's command-line tool ldapsearch. This is
> important: Please use the tool which uses the very same libldap also used for
> python-ldap.
> If ldapsearch fails this would be something to raise on the openldap-software
> mailing list together with information about your build of libldap and the
> SSL/TLS libs used. Note that libldap could be build with GnuTLS or today even
> with Mozilla's libnss.
> Ciao, Michael.

Hi, Michael.
Thanks for your reply. I've been looking into this, trying stuff on
different machines and once again it's the frustrating issue of
different OpenLDAP versions.
You might not remember this but I posted a question to this list a
couple of mounths ago about the chase referrals flag which also turned
out to be treated differently depending on OpenLDAP version.

One of my machines here has (let's call it A) the RPM
openldap2-client-2.3.37-20.8 installed. While as another one (B) has
openldap2-client-2.4.9-7.4 (libldap-2.3.so.0 and  libldap-2.4.so.2

Of course you're right that python-ldap has nothing to do with this,
since ldapsearch gives the same results:

Computer A:
ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ

ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Computer B:
ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ

# extended LDIF
# LDAPv3
# base <o=myorg,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

I'm posting this in case somebody runs into similar issues and also in
the hope that somebody has a suggestion on how to solve this. I might
also need to point out that it isn't about these two computers only.
That would be trivial. The application is going to be distributed in a
fairly big organization and I can't possibly demand that everybody has
the same OpenLDAP version.

The most frustrating thing is perhaps that it is the old version that
has the desired behaviour. I know this is a bit off topic, but surely
there must be a way to check this also in later versions? It'd be much
appreciated if anybody could point me in the right direction here.

Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20090819/53ae6f0e/attachment.bin>

More information about the python-ldap mailing list