[doc] Explain TLS/SSL gotchas

TLS/SSL and X.509 are tricky. OpenLDAP adds some additional gotchas to the stack. We should document them so users don't run into issues like https://github.com/pyldap/pyldap/issues/53

* ``start_tls_s()`` requires protocol version 3. It does not work with protocol version 2.
* Several, perhaps all ``set_option(OPT_X_TLS_*, ...)`` calls require a final ``set_option(ldap.OPT_X_TLS_NEWCTX, 0)`` call to submit all previous ``set_option()`` calls. Without ``OPT_X_TLS_NEWCTX``, settings are effectively ignored. 

```
        l.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
        l.set_option(ldap.OPT_X_TLS_CACERTFILE, 'path/to/ca.pem')
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap. OPT_X_TLS_NEVER)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
```

* [ ] emit warning when ``OPT_X_TLS_NEWCTX`` is required
* [ ] emit warning when connection is already established and ``OPT_X_TLS_*`` are useless.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[doc] Explain TLS/SSL gotchas #55

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[doc] Explain TLS/SSL gotchas #55

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions