Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

partial_chain verification #1121

Open
wayneworkman opened this issue Jan 16, 2024 · 2 comments
Open

partial_chain verification #1121

wayneworkman opened this issue Jan 16, 2024 · 2 comments

Comments

@wayneworkman
Copy link

Hi, OpenSSL supports the -partial_chain argument. Is there any way to use this with ldap3? I only see options for full chain verification, or disabled verification.

If ldap3 can't do partial_chain verification, why not?
@zorn96
Copy link
Collaborator

zorn96 commented Jan 19, 2024

hi @wayneworkman - what's the use case you're trying to achieve?

the TLS used by ldap3 just builds on the native python ssl module. it looks like ssl.VERIFY_X509_PARTIAL_CHAIN was just added recently-ish in python3.10. so support for passing verify_flags could be added to Tls.

honestly it might make sense to just support passing a whole SSLContext object in case there's more things in the future, now that SSLContexts are the default for everything in python

@wayneworkman
Copy link
Author

My use case is for LDAP-S where I'm unable (for reasons) to to get a copy of the root public certificate that I need to enable full chain verification. All I have available to me is the specific LDAP server's public certificate, an an intermediate certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zorn96 @wayneworkman