Skip to content

[doc] Explain TLS/SSL gotchas #55

New issue
New issue
Open
Open
[doc] Explain TLS/SSL gotchas#55
Labels
doc
@tiran

Description

@tiran
tiran
opened on Nov 29, 2017

TLS/SSL and X.509 are tricky. OpenLDAP adds some additional gotchas to the stack. We should document them so users don't run into issues like pyldap/pyldap#53

  • start_tls_s() requires protocol version 3. It does not work with protocol version 2.
  • Several, perhaps all set_option(OPT_X_TLS_*, ...) calls require a final set_option(ldap.OPT_X_TLS_NEWCTX, 0) call to submit all previous set_option() calls. Without OPT_X_TLS_NEWCTX, settings are effectively ignored.
        l.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
        l.set_option(ldap.OPT_X_TLS_CACERTFILE, 'path/to/ca.pem')
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap. OPT_X_TLS_NEVER)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
  • emit warning when OPT_X_TLS_NEWCTX is required
  • emit warning when connection is already established and OPT_X_TLS_* are useless.

Metadata

Metadata

Assignees

No one assigned

    Labels

    doc

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      pFad - Phonifier reborn

      Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

      Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


      Alternative Proxies:

      Alternative Proxy

      pFad Proxy

      pFad v3 Proxy

      pFad v4 Proxy