ldap3.core.exceptions.LDAPStartTLSError
0neAtSec opened this issue · comments
It seems dc2016.pem has an old signature, could you show me the content with the signature on the public certificate?
Meanwhile, try to replace ssl_context.set_ciphers(self.ciphers) with ssl_context.set_ciphers('ALL:@SECLEVEL=0') at line 197 of /usr/local/lib/python3.10/dist-packages/ldap3/core/tls.py
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:00:00:00:11:e0:fa:a5:3c:df:31:07:9c:00:00:00:00:00:11
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC = TEST, DC = AD, CN = AD-ADCS-2012-CA
Validity
Not Before: Oct 17 11:18:19 2022 GMT
Not After : Oct 17 11:18:19 2023 GMT
Subject: CN = DC-2016.AD.TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:4d:65:fa:e9:14:5f:97:08:c4:26:9b:83:1a:
e9:01:39:53:3f:f4:70:85:4f:e7:6e:a7:bc:ee:08:
6b:09:27:2e:47:33:7e:21:f7:8e:09:dc:31:a8:7f:
e6:81:e6:44:b0:99:82:83:cf:f2:ad:62:dd:9e:4f:
86:7d:b1:3a:45:21:65:d0:8d:fd:e1:f8:4f:d3:75:
fb:6e:45:5d:8b:62:62:86:02:56:69:c6:a7:c3:98:
d2:66:0d:f5:94:a4:0d:a3:7e:5c:d1:32:f5:05:f6:
41:68:20:bd:ef:8e:b1:74:ac:1a:42:a1:f1:15:82:
0f:50:3d:b7:b9:31:9f:b7:da:52:08:7b:9e:76:3b:
2a:73:f3:fe:3f:b7:12:bd:89:cb:fd:e4:42:52:d3:
3f:87:87:f7:d5:bd:f7:30:04:00:42:89:95:d7:aa:
bb:6d:19:82:aa:ad:2e:69:90:4d:4c:e5:b6:63:fd:
27:f4:91:32:98:fb:55:66:50:75:f4:62:ac:7e:f9:
50:bf:ea:66:45:34:57:ed:55:20:7d:16:c6:a7:f1:
9a:0c:20:fb:57:8c:cc:ff:e9:b1:aa:96:47:af:6d:
20:d2:9a:d8:ff:45:89:8a:52:35:88:7c:d1:58:c3:
dd:45:4b:76:c6:b6:84:c4:5a:5d:d3:e6:3f:3a:03:
48:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A1:A7:2F:95:20:F0:29:39:F8:22:83:F2:C8:96:7F:1B:9C:0B:27:20
X509v3 Authority Key Identifier:
keyid:FE:71:3D:28:09:59:DE:B0:13:49:F1:DE:98:61:48:17:FD:A1:AF:37
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=AD-ADCS-2012-CA,CN=ADCS-2012,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=AD,DC=TEST?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=AD-ADCS-2012-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=AD,DC=TEST?cACertificate?base?objectClass=certificationAuthority
1.3.6.1.4.1.311.20.2:
...M.a.c.h.i.n.e
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:DC-2016.AD.TEST
Signature Algorithm: sha1WithRSAEncryption
6d:2b:7b:23:df:3a:bf:47:b9:6b:30:d4:ab:d3:8d:41:7c:01:
ad:16:2d:94:0e:d1:26:1e:d1:03:d6:3d:4f:88:ba:b3:d5:17:
f5:33:ad:fd:73:d7:5d:88:e1:40:c1:96:38:51:40:b9:34:68:
9e:54:b3:3e:cb:97:cc:93:90:8f:06:2f:21:41:54:06:3f:a2:
bb:43:e3:91:1e:92:52:40:5e:f0:a0:22:6a:a9:6d:3c:4f:50:
6f:32:df:98:54:7e:af:be:47:88:ea:59:d0:03:9f:1a:9a:49:
69:cb:12:e8:8b:2c:c2:60:77:18:3e:ce:77:15:b1:fc:dc:1f:
b3:ec:e1:2b:aa:2e:03:a4:3e:13:9a:23:ed:15:7a:a9:d4:58:
c9:25:13:9e:fd:7d:d1:18:e7:52:1a:ad:9b:0d:36:5f:8f:ab:
8c:45:3b:6c:65:99:a6:a7:3b:79:19:81:73:e0:c9:2c:d4:36:
8e:24:d1:3e:2f:e7:66:ea:3e:ab:16:09:49:01:92:2a:87:0d:
5a:0e:d9:4a:01:e2:c2:d4:18:19:46:cd:8f:3b:26:ef:b8:a3:
9b:0c:f0:61:c0:af:0e:5d:23:00:08:59:0b:ee:c3:19:61:ee:
f7:16:a7:57:75:59:a2:a6:4c:37:6d:08:30:4b:27:e0:43:4e:
f1:db:b3:99
As i thought your certificate is using sha1WithRSAEncryption for the signature and it is too weak for the default configuration. Try my workaround and tell me if it works. I'll try to integrate it in a next release
Doesn't seem to work
Oh yeah this is because load_cert_chain is called before your change. Try to add ssl_context.set_ciphers('ALL:@SECLEVEL=0') on line 187
@0neAtSec did it work?