Cheers, On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote:> On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter > <towo at b1-systems.de> wrote: > > Cheers, > > > > Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not > > offer > > any hope of salvation, so a bug report it is. > > > > The LDAP connections for userdb/passdb do not support SNI via TLS. > > > > Simple construct to reproduce this: > > > > 0.) Have a.pem with SAN `foo.example.com`, b.pem with > > `bar.example.com` > > 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem > > ssl? > > ?? crt /foo/b.pem` > > 2.) Try to use ldaps://bar.example.com/ in passdb, receive > > ?? "auth: Error: LDAP: Can't connect to server: > > ldaps://bar.example.com" > > > > Expectation, of course, would be for this to work; most libraries > > should support it, it's probably just a matter of convincing the > > appropriate binding. > > Can you verify with > > openssl s_client -connect bar.example.com:ldaps -servername > bar.example.com > > that correct cert is served?Forgot to mention that I of course tested with `s_client` and `ldapsearch`/`ldapwhoami`; HAProxy correctly serves the right certificate as per the SNI indication. Regards, -towo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://dovecot.org/pipermail/dovecot/attachments/20220915/ff0e9644/attachment.sig>
On September 15, 2022 11:10:15 AM GMT+03:00, Tobias Wolter <tobias.wolter+dovecot at b1-systems.de> wrote:>Cheers, > >On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote: >> On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter >> <towo at b1-systems.de> wrote: >> > Cheers, >> > >> > Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not >> > offer >> > any hope of salvation, so a bug report it is. >> > >> > The LDAP connections for userdb/passdb do not support SNI via TLS. >> > >> > Simple construct to reproduce this: >> > >> > 0.) Have a.pem with SAN `foo.example.com`, b.pem with >> > `bar.example.com` >> > 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem >> > ssl? >> > ?? crt /foo/b.pem` >> > 2.) Try to use ldaps://bar.example.com/ in passdb, receive >> > ?? "auth: Error: LDAP: Can't connect to server: >> > ldaps://bar.example.com" >> > >> > Expectation, of course, would be for this to work; most libraries >> > should support it, it's probably just a matter of convincing the >> > appropriate binding. >> >> Can you verify with >> >> openssl s_client -connect bar.example.com:ldaps -servername >> bar.example.com >> >> that correct cert is served? > >Forgot to mention that I of course tested with `s_client` and >`ldapsearch`/`ldapwhoami`; HAProxy correctly serves the right >certificate as per the SNI indication. > >Regards, >-towoCan you turn on auth_debug=yes and amp up ldap debug logging? Aki