Cheers,
Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer
any hope of salvation, so a bug report it is.
The LDAP connections for userdb/passdb do not support SNI via TLS.
Simple construct to reproduce this:
0.) Have a.pem with SAN `foo.example.com`, b.pem with `bar.example.com`
1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem ssl?
crt /foo/b.pem`
2.) Try to use ldaps://bar.example.com/ in passdb, receive
"auth: Error: LDAP: Can't connect to server:
ldaps://bar.example.com"
Expectation, of course, would be for this to work; most libraries
should support it, it's probably just a matter of convincing the
appropriate binding.
Kind regards,
-towo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220914/a57c8d53/attachment.sig>
On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter <towo at b1-systems.de> wrote:>Cheers, > >Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not offer >any hope of salvation, so a bug report it is. > >The LDAP connections for userdb/passdb do not support SNI via TLS. > >Simple construct to reproduce this: > >0.) Have a.pem with SAN `foo.example.com`, b.pem with `bar.example.com` >1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem ssl? > crt /foo/b.pem` >2.) Try to use ldaps://bar.example.com/ in passdb, receive > "auth: Error: LDAP: Can't connect to server: ldaps://bar.example.com" > >Expectation, of course, would be for this to work; most libraries >should support it, it's probably just a matter of convincing the >appropriate binding. > >Kind regards, >-towoCan you verify with openssl s_client -connect bar.example.com:ldaps -servername bar.example.com that correct cert is served? --- Aki