Comments (6)
Hi Brian, that's a problem with the python ssl library. Which version of
python are you using?
Giovanni
2015-02-19 23:41 GMT+01:00 Brian May [email protected]:
Hello,
If I try to connect using START_TLS to a server using its IP address
instead of its hostname, it still works.This is despite the fact that only the hostname is included in the
certificate.This allows man in the middle attacks because I might be trying to connect
to server.example.org, but get a valid certificate from
maninthemiddle.example.org instead, and I will send my credentials to the
wrong server.Ideally this needs to be configurable, as I do have some broken systems
that do identify themselves with the wrong name.This is with validate = ssl.CERT_REQUIRED
Looking at the code, it looks like it is suppose to check the certificate
in the check_hostname function, so I am going to try and work out why that
doesn't appear to be working (or if I am doing something wrong), and I will
report back here.Thanks
—
Reply to this email directly or view it on GitHub
#22.
from ldap3.
Python 3.4 or Python 2.7 both had this issue.
On second thoughts, think this actually was my fault, for some reason I was incorrectly initializing the TLS settings (possibly due to legacy ldap3 reasons???). I had
s = dap3.Server(host, port=port, use_ssl=use_ssl)
c = ldap3.Connection(....)
c.tls = ldap3.Tls(ca_certs_file=...)
Where looking at the source, I think it uses c.server.tls, not c.tls.
I have now changed the code to be comply with the documentation:
s = ldap3.Server(host, port=port, use_ssl=use_ssl, tls=tls)
c = ldap3.Connection(....)
and now I get the appropriate error:
ldap3.core.exceptions.LDAPStartTLSError: wrap socket error: hostname doesn't match
This error goes away when the host name matches.
Closing this non-bug.
Thanks.
from ldap3.
Thanks, I will check your code anyway.
Bye,
Giovanni
2015-02-20 0:07 GMT+01:00 Brian May [email protected]:
Python 3.4 or Python 2.7 both had this issue.
On second thoughts, think this actually was my fault, for some reason I
was incorrectly initializing the TLS settings (possibly due to legacy ldap3
reasons???). I hads = dap3.Server(host, port=port, use_ssl=use_ssl)
c = ldap3.Connection(....)
c.tls = ldap3.Tls(ca_certs_file=...)Where looking at the source, I think it uses c.server.tls, not c.tls.
I have now changed the code to be comply with the documentation:
s = ldap3.Server(host, port=port, use_ssl=use_ssl, tls=tls)
c = ldap3.Connection(....)and now I get the appropriate error:
ldap3.core.exceptions.LDAPStartTLSError: wrap socket error: hostname doesn't match
This error goes away when the host name matches.
Closing this non-bug.
Thanks.
—
Reply to this email directly or view it on GitHub
#22 (comment).
from ldap3.
Hi Brian,
I've checked your code. You're using the default of the tls object. It has no validation of certificate (ssl.CERT_NONE) so you accept any certificate you get. I could make the default to CERT_REQUIRED, but I suspect that many internal LDAP servers have their certificate not prperly set. SO I think that CERT_NONE is more helpful, even if less secure as a default.
Bye,
Giovanni
from ldap3.
Yes, that was my thoughts.
However I can't see the default value documented anywhere, I think the default should be mentioned on this page, possibly even with a note that CERT_REQUIRED is recommended if possible:
https://ldap3.readthedocs.org/en/latest/ssltls.html
from ldap3.
sure, I will update the docs.
Bye,
Giovanni
from ldap3.
Related Issues (20)
- SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports
- RFC6331: Moving DIGEST-MD5 to Historic
- RFC 9266: Channel Bindings for TLS 1.3 support HOT 2
- How to get ldap server error message when commiting changes via abstract layer ? HOT 1
- Connection binding times out very late if server names won't resolve
- Seemingly unique issue with AD modifications HOT 1
- Does this library actually end up working reliably with Active Directory? HOT 5
- Controls not working with mock sync?
- Add a way to send an empty AttributeSelection in SearchRequest to request all attributes
- Parentheses in search filter are not properly escaped.
- Missing lockoutTime attribute
- malformed schema definition against ldap.js
- reader search_paged not returning results - What am I doing wrong? HOT 3
- Documentation for adding an object from scratch in abstract mode
- partial_chain verification HOT 2
- SASL / GSSAPI(Kerberos) Authenticate ActiveDirectory using a Authorization Negotiate token
- nTsecurityDescriptor HOT 2
- No objects found within the specified OU HOT 2
- > @cannatag Yeah, I was able to reach the server, and then suddenly this error would come up. I'm now wondering if it was because of some pool of connections or something, I got around this error by rebooting the server machine and the service machine. I'll reopen if I get this error again.
- RecursionError: maximum recursion depth exceeded ( HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldap3.