Bug report: TLS SNI for LDAP userdb/passdb

Tobias Wolter tobias.wolter+dovecot at b1-systems.de
Thu Sep 15 08:10:15 UTC 2022


Cheers,

On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:
> On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter
> <towo at b1-systems.de> wrote:
> > Cheers,
> > 
> > Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not
> > offer
> > any hope of salvation, so a bug report it is.
> > 
> > The LDAP connections for userdb/passdb do not support SNI via TLS.
> > 
> > Simple construct to reproduce this:
> > 
> > 0.) Have a.pem with SAN `foo.example.com`, b.pem with
> > `bar.example.com`
> > 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem
> > ssl 
> >    crt /foo/b.pem`
> > 2.) Try to use ldaps://bar.example.com/ in passdb, receive
> >    "auth: Error: LDAP: Can't connect to server:
> > ldaps://bar.example.com"
> > 
> > Expectation, of course, would be for this to work; most libraries
> > should support it, it's probably just a matter of convincing the
> > appropriate binding.
> 
> Can you verify with
> 
> openssl s_client -connect bar.example.com:ldaps -servername
> bar.example.com
> 
> that correct cert is served?

Forgot to mention that I of course tested with `s_client` and
`ldapsearch`/`ldapwhoami`; HAProxy correctly serves the right
certificate as per the SNI indication.

Regards,
-towo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220915/ff0e9644/attachment.sig>


More information about the dovecot mailing list