LDAP3 TLS Cert verification failing

[pankysdomain]

ldap3 package provides us a TLS object with these parameters

Tls(local_private_key_file, local_certificate_file, validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1, ca_certs_file)"

I have these questions . It would be helpful if you can give me point by point answer

1. Parameters "local_private_key_file" and "local_certificate_file" are optional fields if we have to just verify server certificate. They are only required if server is configured to ask for Client cert verification. Is my understanding correct?

2. For server cert verification, manadatory fields are "validate","version" and "ca_certs_file" ?

3. What is the format/extension expected for "ca_certs_file" ? Is it only b64 or cer,pem,pkcs12 format also acceptable?

4. if the server certificate has CRL configured, will that be verified also by ldap3 package? If yes, is there a way i can disable that?

5. When i run openssl verify command, it returns success "openssl verify -verbose -CAfile certnew.pem ldapserver.pem"
   ldapserver.pem: OK
   But when i specify the ca_cert_file in TLS object as "certnew.pem", like this

tls_configuration = Tls(validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1,ca_certs_file="certnew.pem")

exception socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727).

These are logged in extended logging

DEBUG:ldap3:BASIC:server <ldaps://parent-2k16.pcsqalab.net:636 - ssl> available at <[2, 1, 6, '', ('10.209.115.100', 636), None, None]>
DEBUG:ldap3:BASIC:server returned from Server Pool: <0>
DEBUG:ldap3:BASIC:obtained candidate address for <ldaps://parent-2k16.pcsqalab.net:636 - ssl>: <[2, 1, 6, '', ('10.209.115.100', 636)]> with mode IP_V6_PREFERRED
DEBUG:ldap3:BASIC:try to open candidate address [2, 1, 6, '', ('10.209.115.100', 636)]
DEBUG:ldap3:ERROR:<socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)> for <ldaps://parent-2k16.pcsqalab.net:636 - ssl - user: cn=Administrator,cn=users,dc=pcsqalab,dc=net - not lazy - unbound - closed - <local: 10.204.48.215:49495 - remote: 10.209.115.100:636> - tls not started - not listening - SyncStrategy - pyasn1 decoder>
DEBUG:ldap3:ERROR:<socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) ('10.209.115.100', 636)> for <ldaps://parent-2k16.pcsqalab.net:636 - ssl - user: cn=Administrator,cn=users,dc=pcsqalab,dc=net - not lazy - unbound - closed - <local: 10.204.48.215:49495 - remote: [None]:None> - tls not started - not listening - SyncStrategy - pyasn1 decoder>

[pankysdomain]

@cannatag Can you please update me on the above questions?

[pankysdomain]

This bug is opened almost 19 days back. Was expecting some update to move forward.

[cannatag]

sorry for being late.

1. Correct
2. yes, but I suggest you to use the SSLContext in python > 3.3. It integrates with the operating system for establishing SSL connections. Have a look at the SSLContext in the https://ldap3.readthedocs.io/en/latest/ssltls.html page
   3, 4: These depend on the Python version you're using.
   5: The Python interpreter and the openssl client use different ssl libraries. It can happens that you get different behaviours on the same machine. I suggest you to update to the latest python version.

Sorry for these brief answers, but SSL is not related to the ldap3 library but to the python interpreter you're using. Usually using the SSLContext helps because you have a configuration similar to that of your OS, but libraries remain different.

bye,
Giovanni

[HOMiLeee]

@pankysdomain Hi, has your problem been solved? Currently I have encountered the same problem as you. Can you provide me with your demo version of the code to study? Thank you very much;