Bug report: TLS SNI for LDAP userdb/passdb

hi at zakaria.website hi at zakaria.website
Sun Sep 18 06:52:48 UTC 2022


On 2022-09-15 10:23, Aki Tuomi wrote:
> On September 15, 2022 11:10:15 AM GMT+03:00, Tobias Wolter 
> <tobias.wolter+dovecot at b1-systems.de> wrote:
>> Cheers,
>> 
>> On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:
>>> On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter
>>> <towo at b1-systems.de> wrote:
>>> > Cheers,
>>> >
>>> > Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not
>>> > offer
>>> > any hope of salvation, so a bug report it is.
>>> >
>>> > The LDAP connections for userdb/passdb do not support SNI via TLS.
>>> >
>>> > Simple construct to reproduce this:
>>> >
>>> > 0.) Have a.pem with SAN `foo.example.com`, b.pem with
>>> > `bar.example.com`
>>> > 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem
>>> > ssl 
>>> >    crt /foo/b.pem`
>>> > 2.) Try to use ldaps://bar.example.com/ in passdb, receive
>>> >    "auth: Error: LDAP: Can't connect to server:
>>> > ldaps://bar.example.com"
>>> >
>>> > Expectation, of course, would be for this to work; most libraries
>>> > should support it, it's probably just a matter of convincing the
>>> > appropriate binding.
>>> 
>>> Can you verify with
>>> 
>>> openssl s_client -connect bar.example.com:ldaps -servername
>>> bar.example.com
>>> 
>>> that correct cert is served?
>> 
>> Forgot to mention that I of course tested with `s_client` and
>> `ldapsearch`/`ldapwhoami`; HAProxy correctly serves the right
>> certificate as per the SNI indication.
>> 
>> Regards,
>> -towo
> 
> Can you turn on auth_debug=yes and amp up ldap debug logging?
> 
> Aki

Try this, and confirm if your SSL certificate matched ldap SNI, 
otherwise I guess it should throw different error which could be whats 
causing ldap connection failure.
http://docs.haproxy.org/dev/configuration.html#5.1-strict-sni

Zakaria.


More information about the dovecot mailing list