Debugging SSL connections
Mike Orr
sluggoster at gmail.com
Wed Jun 21 00:41:01 CEST 2006
Hi. I have a Python application that uses LDAP to authenticate users.
Today our organization moved the server to one that uses LDAP-SSL,
and I can't connect to it. I couldn't find anything about SSL in the
python-ldap or openldap documentation, but a Google search found this
letter from 2003:
http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1
David Casti wrote:
> >
> > import ldap
> > l = ldap.initialize( 'ldaps://target:636' )
> > [..]
> > ldap.SERVER_DOWN: {'info': 'error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
> > "Can't contact LDAP server"}
>
> The message is pretty clear. The server's certificate cannot be verified.
>
> > ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, '/path/ca.crt' )
>
> This is the right thing to do.
>
> Can you please try something like
>
> openssl s_client -connect target:636 -CAfile /path/ca.crt
>
> and carefully examime its output?
But I don't have a certificate to authenticate against. Mozilla
Thunderbird works fine without it "openssl s_client -connect
target:636" ends with:
"Verify return code: 19 (self signed certificate in certificate chain)"
This is not surprising; our organization always uses self-signed
certificates. The ldapsearch program refuses to run, saying:
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Is there an option for "just accept the certificate anyway"? Is there
a list of LDAP options anywhere? I couldn't find one.
Is there a HOWTO anywhere for using python-ldap with SSL? I only
discovered ldaps: by guessing maybe it works like https:.
--
Mike Orr <sluggoster at gmail.com>
More information about the python-ldap
mailing list