Bug report: TLS SNI for LDAP userdb/passdb
Cheers,
Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is.
The LDAP connections for userdb/passdb do not support SNI via TLS.
Simple construct to reproduce this:
0.) Have a.pem with SAN foo.example.com, b.pem with bar.example.com
1.) Configure haproxy frontend with bind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem
2.) Try to use ldaps://bar.example.com/ in passdb, receive
"auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com"
Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding.
Kind regards, -towo
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter <towo@b1-systems.de> wrote:
Cheers,
Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is.
The LDAP connections for userdb/passdb do not support SNI via TLS.
Simple construct to reproduce this:
0.) Have a.pem with SAN
foo.example.com, b.pem withbar.example.com1.) Configure haproxy frontend withbind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem2.) Try to use ldaps://bar.example.com/ in passdb, receive "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com"Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding.
Kind regards, -towo
Can you verify with
openssl s_client -connect bar.example.com:ldaps -servername bar.example.com
that correct cert is served?
Aki
Cheers,
On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter <towo@b1-systems.de> wrote:
Cheers,
Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is.
The LDAP connections for userdb/passdb do not support SNI via TLS.
Simple construct to reproduce this:
0.) Have a.pem with SAN
foo.example.com, b.pem withbar.example.com1.) Configure haproxy frontend withbind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem2.) Try to use ldaps://bar.example.com/ in passdb, receive "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com"Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding.
Can you verify with
openssl s_client -connect bar.example.com:ldaps -servername bar.example.com
that correct cert is served?
Forgot to mention that I of course tested with s_client and
ldapsearch/ldapwhoami; HAProxy correctly serves the right
certificate as per the SNI indication.
Regards, -towo
On September 15, 2022 11:10:15 AM GMT+03:00, Tobias Wolter <tobias.wolter+dovecot@b1-systems.de> wrote:
Cheers,
On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter <towo@b1-systems.de> wrote:
Cheers,
Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is.
The LDAP connections for userdb/passdb do not support SNI via TLS.
Simple construct to reproduce this:
0.) Have a.pem with SAN
foo.example.com, b.pem withbar.example.com1.) Configure haproxy frontend withbind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem2.) Try to use ldaps://bar.example.com/ in passdb, receive "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com"Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding.
Can you verify with
openssl s_client -connect bar.example.com:ldaps -servername bar.example.com
that correct cert is served?
Forgot to mention that I of course tested with
s_clientandldapsearch/ldapwhoami; HAProxy correctly serves the right certificate as per the SNI indication.Regards, -towo
Can you turn on auth_debug=yes and amp up ldap debug logging?
Aki
On 2022-09-15 10:23, Aki Tuomi wrote:
On September 15, 2022 11:10:15 AM GMT+03:00, Tobias Wolter <tobias.wolter+dovecot@b1-systems.de> wrote:
Cheers,
On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter <towo@b1-systems.de> wrote:
Cheers,
Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer any hope of salvation, so a bug report it is.
The LDAP connections for userdb/passdb do not support SNI via TLS.
Simple construct to reproduce this:
0.) Have a.pem with SAN
foo.example.com, b.pem withbar.example.com1.) Configure haproxy frontend withbind *:636 ssl crt /foo/a.pem ssl crt /foo/b.pem2.) Try to use ldaps://bar.example.com/ in passdb, receive "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com"Expectation, of course, would be for this to work; most libraries should support it, it's probably just a matter of convincing the appropriate binding.
Can you verify with
openssl s_client -connect bar.example.com:ldaps -servername bar.example.com
that correct cert is served?
Forgot to mention that I of course tested with
s_clientandldapsearch/ldapwhoami; HAProxy correctly serves the right certificate as per the SNI indication.Regards, -towo
Can you turn on auth_debug=yes and amp up ldap debug logging?
Aki
Try this, and confirm if your SSL certificate matched ldap SNI, otherwise I guess it should throw different error which could be whats causing ldap connection failure. http://docs.haproxy.org/dev/configuration.html#5.1-strict-sni
Zakaria.
participants (4)
-
Aki Tuomi
-
hi@zakaria.website
-
Tobias Wolter
-
Tobias Wolter