doesn't check ssl certificate hostname about ldap3 HOT 6 CLOSED

Hi Brian, that's a problem with the python ssl library. Which version of
python are you using?

Giovanni

2015-02-19 23:41 GMT+01:00 Brian May [email protected]:

Hello,

If I try to connect using START_TLS to a server using its IP address
instead of its hostname, it still works.

This is despite the fact that only the hostname is included in the
certificate.

This allows man in the middle attacks because I might be trying to connect
to server.example.org, but get a valid certificate from
maninthemiddle.example.org instead, and I will send my credentials to the
wrong server.

Ideally this needs to be configurable, as I do have some broken systems
that do identify themselves with the wrong name.

This is with validate = ssl.CERT_REQUIRED

Looking at the code, it looks like it is suppose to check the certificate
in the check_hostname function, so I am going to try and work out why that
doesn't appear to be working (or if I am doing something wrong), and I will
report back here.

Thanks

—
Reply to this email directly or view it on GitHub
#22.

from ldap3.

Python 3.4 or Python 2.7 both had this issue.

On second thoughts, think this actually was my fault, for some reason I was incorrectly initializing the TLS settings (possibly due to legacy ldap3 reasons???). I had

s = dap3.Server(host, port=port, use_ssl=use_ssl)
c = ldap3.Connection(....)
c.tls = ldap3.Tls(ca_certs_file=...)

Where looking at the source, I think it uses c.server.tls, not c.tls.

I have now changed the code to be comply with the documentation:

s = ldap3.Server(host, port=port, use_ssl=use_ssl, tls=tls)
c = ldap3.Connection(....)

and now I get the appropriate error:

ldap3.core.exceptions.LDAPStartTLSError: wrap socket error: hostname doesn't match

This error goes away when the host name matches.

Closing this non-bug.

Thanks.

from ldap3.

Thanks, I will check your code anyway.

Bye,
Giovanni

2015-02-20 0:07 GMT+01:00 Brian May [email protected]:

Python 3.4 or Python 2.7 both had this issue.

On second thoughts, think this actually was my fault, for some reason I
was incorrectly initializing the TLS settings (possibly due to legacy ldap3
reasons???). I had

s = dap3.Server(host, port=port, use_ssl=use_ssl)
c = ldap3.Connection(....)
c.tls = ldap3.Tls(ca_certs_file=...)

Where looking at the source, I think it uses c.server.tls, not c.tls.

I have now changed the code to be comply with the documentation:

s = ldap3.Server(host, port=port, use_ssl=use_ssl, tls=tls)
c = ldap3.Connection(....)

and now I get the appropriate error:

ldap3.core.exceptions.LDAPStartTLSError: wrap socket error: hostname doesn't match

This error goes away when the host name matches.

Closing this non-bug.

Thanks.

—
Reply to this email directly or view it on GitHub
#22 (comment).

from ldap3.

Hi Brian,
I've checked your code. You're using the default of the tls object. It has no validation of certificate (ssl.CERT_NONE) so you accept any certificate you get. I could make the default to CERT_REQUIRED, but I suspect that many internal LDAP servers have their certificate not prperly set. SO I think that CERT_NONE is more helpful, even if less secure as a default.

Bye,
Giovanni

from ldap3.

Yes, that was my thoughts.

However I can't see the default value documented anywhere, I think the default should be mentioned on this page, possibly even with a note that CERT_REQUIRED is recommended if possible:

https://ldap3.readthedocs.org/en/latest/ssltls.html

from ldap3.

sure, I will update the docs.

Bye,
Giovanni

from ldap3.