I have the code sample that works for server here including the certificate. case 'ldap-test':
It works on server. However on mac I'll need to apply on of the solutions from here [[#^e1c663|below]]
These are the keys for debuging:
// disabled the certificate on local works:
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
// this is for debugging
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$this->error("LDAP Error: " . ldap_error($ldap_connection));Yes, this error occurs because modern systems (like your M3 MacBook) enforce stricter security standards for SSL/TLS certificates. The error "EE certificate key too weak" typically means the certificate is using an outdated key length or algorithm (like RSA with less than 2048 bits or weak SHA-1). ^e1c663
Here are a few workarounds, in order of recommended approach:
- Best Solution (but requires server-side changes):
- Update the server's SSL certificate to use stronger keys (RSA 2048+ bits or ECC)
- Use modern signing algorithms (SHA-256 or better)
- Intermediate Solution (still secure but more permissive):
// Add these before ldap_connect
putenv('LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0:!VERS-SSL3.0');
ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, 'NORMAL:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0:!VERS-SSL3.0');- Development-only workaround (NOT for production):
// Option A: Disable certificate verification entirely
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
// Option B: Allow weak certificates (slightly better than Option A)
putenv('LDAPTLS_ALLOW_WEAK_DH=1');
putenv('LDAPTLS_MIN_DH_BITS=256');- If you need to keep using the weak certificate but want some security:
// Still verify the certificate but be more permissive about key strength
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_TRY);
putenv('LDAPTLS_ALLOW_WEAK_DH=1');
putenv('LDAPTLS_MIN_DH_BITS=256');Recommendation: For development/testing, you can use option 3 or 4. However, for production, you should really push for option 1 (updating the server certificate) as it's the most secure approach and follows current security best practices.
Would you like me to provide a complete code example with any of these approaches?
ldap_create
ldap_url_parse_ext(ldaps://PLGORSDC001.tpvaoc.com:636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP PLGORSDC001.tpvaoc.com:636
ldap_new_socket: 12
ldap_prepare_socket: 12
ldap_connect_to_host: Trying 172.17.80.91:636
ldap_pvt_connect: fd: 12 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 0, err: 66, subject: /CN=PLGORSDC001.tpvaoc.com, issuer: /DC=com/DC=tpvaoc/CN=Cnfqs001
TLS certificate verification: Error, EE certificate key too weak
TLS trace: SSL3 alert write:fatal:bad certificate
TLS trace: SSL_connect:error in error
TLS: can't connect: error:0A000086:SSL routines::certificate verify failed (EE certificate key too weak).Please test LDAPS on one of those DC’s from your mac: Plgorsdc005.tpvaoc.com Plgorsdc006.tpvaoc.com
Regards
From: Harvey Liang 梁銘鼎 [email protected] Sent: Friday, March 21, 2025 1:46 AM To: Aleksander Cacak [email protected] Cc: Petr Stary [email protected] Subject: RE: DC Certificate renew
Dear Aleksander, The following root certificate were renewed: Plgorsdc005 Plgorsdc006
if(config('app.env')==='production')
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
else
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);