https://bugs.openldap.org/show_bug.cgi?id=8753
--- Comment #12 from Michael Ströder michael@stroeder.com --- (In reply to Ondřej Kuzník from comment #11)
It should be analogous to HTTP Public Key Pinning, that's why it's working with keys, not certificates.
Ah, ok.
For python-ldap0 tests I've used for generation the SHA-256 hash:
openssl rsa -in tests/tls/localhost.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
But it does not work (with libldap 2.6.1):
ldap0.CONNECT_ERROR: {'result': -11, 'desc': b'Connect error', 'ctrls': [], 'info': b'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}
See the (commented) lines in the test:
https://code.stroeder.com/pymod/python-ldap0/src/branch/main/tests/test_ldap...
Assuming I got this right:
https://code.stroeder.com/pymod/python-ldap0/commit/1ec4ad7ada7388835d5df8c8...