[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Info message for LDAP_SERVER_DOWN in case of SSL/TLS failure (ITS#1995)



The CVS HEAD has been patched to provide an error message in the latter case.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> michael@stroeder.com
> Sent: Monday, August 05, 2002 5:35 AM
> To: openldap-its@OpenLDAP.org
> Subject: Re: Info message for LDAP_SERVER_DOWN in case of SSL/TLS
> failure (ITS#1995)
> 
> 
> Howard Chu wrote:
> > The library already copies the SSL error string into the LDAP 
> handle when an SSL
> > connection attempt fails.
> 
> I can see the info message if certificate verification fails 
> (turned into a Python exception instance in this example):
> 
> ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 
> 'desc': 'Connect error'}
> 
> But is that also true if the certificate and host name comparison 
> failed which is a very common error? The following example is from 
> the OpenLDAP debug log:
> 
> TLS: hostname (abcdef.domain.my) does not match common name in 
> certificate (localhost).
> 
> In this case the info field seems to be empty:
> 
> ldap.CONNECT_ERROR: {'info': '', 'desc': 'Connect error'}
> 
> Ciao, Michael.
> 
> 
>