[python3-ldap] TLS issue

David Noriega tsk133 at my.utsa.edu
Fri Jun 20 07:49:55 CEST 2014 

To recap what happened off camera, you had me try out using raw sockets to
connect to the ssl ldap port 636, like so:

import socket
import ssl
HOST = "your_host"
PORT = 636
sock = socket.socket()
sock.connect((HOST, PORT))
sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED,
ca_certs="your_ca_certs_file")

This works on linux, both python 2.6 and 3.2, but on windows it fails. I
tried 3.4.1, and going back with 3.3 and 3.2. With it working on Linux, I
could use sock.getpeercert() to return the server certificate information.
But this socket test got me thinking and I came across this on
stackoverflow:
http://stackoverflow.com/questions/19145097/getting-certificate-chain-with-python-3-3-ssl-module

I modified that code slightly to use PROTOCOL_TLSv1 and CERT_REQUIRED. This
works on linux as is, but again fails on windows. Reading deeper into the
ssl docs, I found SSLContext.load_default_certs() which got me thinking
about the differences between Windows and Linux. Windows has a central
certificate store. Using this method
http://community.spiceworks.com/how_to/show/1839-installing-self-signed-ca-certificate-in-windows,
I imported my CA cert into Windows' cert store. I modified the code again
to not use SSLContext.load_verify_locations() but instead
load_default_certs() and this time it works.




On Tue, Jun 17, 2014 at 12:15 AM, Python3-ldap <python3ldap at gmail.com>
wrote:

> Hi David, this seem a problem with the python ssl module, it raise an
> unknown error when trying to verify the ca cert. Are you sure that the
> certificate ca format is PEM and contains only the public key of your ca
> chain? Could you send me the certificate ca (it includes only the public
> key, so it safe to send) so I can try it in my lab to see where the problem
> is.
>
> Bye,
> Giovanni
>
> ------------------------------
> Da: David Noriega <tsk133 at my.utsa.edu>
> Inviato: ‎17/‎06/‎2014 00.38
> A: python3ldap <python3ldap at gmail.com>
> Oggetto: Re: [python3-ldap] TLS issue
>
> Its the same for either cert required or none. I have a secondary ldap
> server and tried against it, same thing.  Even tried to test if there was a
> difference between 32bit and 64bit, same thing.
> >>> c.open()
> >>> c.start_tls()
> Traceback (most recent call last):
>   File "<pyshell#24>", line 1, in <module>
>     c.start_tls()
>   File "C:\Python34\lib\site-packages\ldap3\core\connection.py", line 584,
> in start_tls
>     if self.server.tls.start_tls(self):
>   File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 121, in
> start_tls
>     return self._start_tls(connection)
>   File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 124, in
> _start_tls
>     connection.socket = self.wrap_socket(connection, True)
>   File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 89, in
> wrap_socket
>     wrapped_socket = ssl.wrap_socket(connection.socket,
> keyfile=self.private_key_file, certfile=self.certificate_file,
> server_side=False, cert_reqs=self.validate, ssl_version=self.version,
> ca_certs=self.ca_certs_file, do_handshake_on_connect=do_handshake)
>   File "C:\Python34\lib\ssl.py", line 888, in wrap_socket
>     ciphers=ciphers)
>   File "C:\Python34\lib\ssl.py", line 511, in __init__
>     self._context.load_verify_locations(ca_certs)
> ssl.SSLError: unknown error (_ssl.c:2734)
>
>
>
>
> On Sun, Jun 15, 2014 at 10:34 AM, python3ldap <python3ldap at gmail.com>
> wrote:
>
>> Hi David,
>> this seem a ssl problem. Can you try the following with a good ca and
>> then with a WRONG ca cert file?
>>
>> import ssl
>> from ladp3 import Server, Connection, Tls
>> t = Tls(ca_cert_file='your_ca_file', validate=ssl.CERT_REQUIRED)
>> s = Server('your_server', tls = t)
>> c = Connection(s, user='your_user', password='your_password')
>> c.open()
>> c.start_tls()
>> c.bind()
>> c.close()
>>
>> Then you should do the same with validate set to ssl.CERT_NONE.
>>
>> Can you send me back the result of each statement?
>>
>> Bye,
>> Giovanni
>>
>>
>> 2014-06-13 19:45 GMT+02:00 David Noriega <tsk133 at my.utsa.edu>:
>> > Yes, port 389 is correct, this is how we use it. Its explained here:
>> > http://www.openldap.org/faq/data/cache/185.html
>> >
>> > I've been able to use the older python-ldap on 2.x previously, so I
>> know it
>> > can work.
>> >
>> > Here I can get some simple info from ldap:
>> >>>> import ldap3
>> >>>> s = ldap3.Server('X.X.X.X', port=389, get_info=ldap3.GET_ALL_INFO)
>> >>>> c = ldap3.Connection(s, auto_bind=True)
>> >>>> print(s.info)
>> > DSA info (from DSE):
>> >
>> >   Supported LDAP Versions: 3
>> >
>> >   Naming Contexts:
>> >
>> >     dc=X,dc=X,dc=X
>> >
>> >   Supported Controls:
>> >
>> >     1.3.6.1.4.1.4203.1.9.1.1 - LDAP content synchronization - Control -
>> > RFC4533
>> >
>> >     2.16.840.1.113730.3.4.18 - Proxy Authorization Control - Control -
>> > RFC6171
>> >
>> >     2.16.840.1.113730.3.4.2 - ManageDsaIT - Control - RFC3296
>> >
>> >     1.3.6.1.4.1.4203.1.10.1 - Subentries - Control - RFC3672
>> >
>> >     1.2.840.113556.1.4.319 - LDAP Simple Paged Results - Control -
>> RFC2696
>> >
>> >     1.2.826.0.1.3344810.2.3 - Matched Values - Control - RFC3876
>> >
>> >     1.3.6.1.1.13.2 - LDAP Post-read - Control - RFC4527
>> >
>> >     1.3.6.1.1.13.1 - LDAP Pre-read - Control - RFC4527
>> >
>> >     1.3.6.1.1.12 - Assertion - Control - RFC4528
>> >
>> >   Supported Extensions:
>> >
>> >     1.3.6.1.4.1.1466.20037 - StartTLS - Extension - RFC4511-RFC4513
>> >
>> >     1.3.6.1.4.1.4203.1.11.1 - Modify Password - Extension - RFC3062
>> >
>> >     1.3.6.1.4.1.4203.1.11.3 - Who am I - Extension - RFC4532
>> >
>> >     1.3.6.1.1.8 - Cancel Operation - Extension - RFC3909
>> >
>> >   Supported Features:
>> >
>> >     1.3.6.1.1.14 - Modify-Increment - Feature - RFC4525
>> >
>> >     1.3.6.1.4.1.4203.1.5.1 - All Op Attrs - Feature - RFC3673
>> >
>> >     1.3.6.1.4.1.4203.1.5.2 - OC AD Lists - Feature - RFC4529
>> >
>> >     1.3.6.1.4.1.4203.1.5.3 - True/False filters - Feature - RFC4526
>> >
>> >     1.3.6.1.4.1.4203.1.5.4 - Language Tag Options - Feature - RFC3866
>> >
>> >     1.3.6.1.4.1.4203.1.5.5 - language Range Options - Feature - RFC3866
>> >
>> >   Supported SASL Mechanisms:
>> >
>> >     CRAM-MD5, GSSAPI, DIGEST-MD5
>> >
>> >   Schema Entry:
>> >
>> >     cn=Subschema
>> >
>> > Other:
>> >
>> >   objectClass:
>> >
>> >     top
>> >
>> >     OpenLDAProotDSE
>> >
>> >   monitorContext:
>> >
>> >     cn=Monitor
>> >
>> >   configContext:
>> >
>> >     cn=config
>> >
>> >   structuralObjectClass:
>> >
>> >     OpenLDAProotDSE
>> >
>> >   entryDN:
>> >
>> > If I try to bind via AUTH_SIMPLE, the server responds as expected with
>> > confidentiality required message. I then try again by setting up a Tls
>> > object and I've tried with all CERT_ options but get the same error.
>> This CA
>> > cert file is good because its currently used by all my systems for ldap
>> > authentication.
>> >
>> >
>> >
>>
>

On Thu, Jun 12, 2014 at 5:24 PM, python3ldap <python3ldap at gmail.com> wrote:

> Hi David,
> are you sure that you must connect to the 389 port? Usually tls is on
> 636 port. If 389 is right probably the ca file is wrong. In that case
> i need some more info. You should try to connect without CA and
> without verifying the certificate chain.
>
> Let me know.
> Bye,
> Giovanni
>
>
> Il giovedì 12 giugno 2014, David Noriega <tsk133 at my.utsa.edu> ha scritto:
>
> On Windows 7 with Python 3.4.1 and python3-ldap 0.9.3.3
>>
>> I'm trying to create a TLS connection to an ldap server over port 389 and
>> I provide the CA cert file(in pem format) but I get the following:
>>
>> Traceback (most recent call last):
>>   File "C:\Python34\lib\site-packages\ldap3\strategy\baseStrategy.py",
>> line 134,
>>  in _open_socket
>>     self.connection.socket =
>> self.connection.server.tls.wrap_socket(self.connect
>> ion, do_handshake=True)
>>   File "C:\Python34\lib\site-packages\ldap3\core\tls.py", line 89, in
>> wrap_socke
>> t
>>     wrapped_socket = ssl.wrap_socket(connection.socket,
>> keyfile=self.private_key
>> _file, certfile=self.certificate_file, server_side=False,
>> cert_reqs=self.validat
>> e, ssl_version=self.version, ca_certs=self.ca_certs_file,
>> do_handshake_on_connec
>> t=do_handshake)
>>   File "C:\Python34\lib\ssl.py", line 888, in wrap_socket
>>     ciphers=ciphers)
>>   File "C:\Python34\lib\ssl.py", line 511, in __init__
>>     self._context.load_verify_locations(ca_certs)
>> ssl.SSLError: unknown error (_ssl.c:2734)
>>
>> During handling of the above exception, another exception occurred:
>>
>> Traceback (most recent call last):
>>   File "<stdin>", line 1, in <module>
>>   File "C:\Python34\lib\site-packages\ldap3\core\connection.py", line
>> 174, in __
>> init__
>>     self.open()
>>   File "C:\Python34\lib\site-packages\ldap3\strategy\syncWait.py", line
>> 49, in o
>> pen
>>     BaseStrategy.open(self, reset_usage)
>>   File "C:\Python34\lib\site-packages\ldap3\strategy\baseStrategy.py",
>> line 88,
>> in open
>>     self._open_socket(self.connection.server.ssl)
>>   File "C:\Python34\lib\site-packages\ldap3\strategy\baseStrategy.py",
>> line 139,
>>  in _open_socket
>>     raise communication_exception_factory(LDAPSocketOpenError,
>> e)(self.connectio
>> n.last_error)
>> ldap3.core.exceptions.LDAPSocketOpenError: ('socket ssl wrapping error:
>> unknown
>> error (_ssl.c:2734)',)
>>
>
>
> --
> Have fun,
> gc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python3-ldap/attachments/20140620/895f62a6/attachment-0001.html>

More information about the python3-ldap mailing list