Bug report: TLS SNI for LDAP userdb/passdb
Aki Tuomi
aki.tuomi at open-xchange.com
Thu Sep 15 09:23:54 UTC 2022
On September 15, 2022 11:10:15 AM GMT+03:00, Tobias Wolter <tobias.wolter+dovecot at b1-systems.de> wrote:
>Cheers,
>
>On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:
>> On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter
>> <towo at b1-systems.de> wrote:
>> > Cheers,
>> >
>> > Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not
>> > offer
>> > any hope of salvation, so a bug report it is.
>> >
>> > The LDAP connections for userdb/passdb do not support SNI via TLS.
>> >
>> > Simple construct to reproduce this:
>> >
>> > 0.) Have a.pem with SAN `foo.example.com`, b.pem with
>> > `bar.example.com`
>> > 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem
>> > ssl
>> > crt /foo/b.pem`
>> > 2.) Try to use ldaps://bar.example.com/ in passdb, receive
>> > "auth: Error: LDAP: Can't connect to server:
>> > ldaps://bar.example.com"
>> >
>> > Expectation, of course, would be for this to work; most libraries
>> > should support it, it's probably just a matter of convincing the
>> > appropriate binding.
>>
>> Can you verify with
>>
>> openssl s_client -connect bar.example.com:ldaps -servername
>> bar.example.com
>>
>> that correct cert is served?
>
>Forgot to mention that I of course tested with `s_client` and
>`ldapsearch`/`ldapwhoami`; HAProxy correctly serves the right
>certificate as per the SNI indication.
>
>Regards,
>-towo
Can you turn on auth_debug=yes and amp up ldap debug logging?
Aki
More information about the dovecot
mailing list