search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/ejabberd/
Other
6.12k stars 1.51k forks source link

LDAPS fails on strict SNI, probably due to no hostname being sent #4307

Open skedastically opened 1 week ago

skedastically commented 1 week ago

Environment

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

loglevel: debug
host_config:
  example.com:
    auth_method: [ldap]
    ldap_servers:
      - ldap.example.com
    ldap_port: 3890
    ldap_encrypt: tls
    ldap_tls_verify: false
    ldap_uids:
      - uid
    ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=com"
    ldap_password: "[redacted]"
    ldap_base: "ou=people,dc=example,dc=com"

Errors from error.log/crash.log

2024-11-10 14:14:41.385 [notice] TLS :client: In state :hello received SERVER ALERT: Fatal - Unrecognized Name

Bug description

I'm configuring ejabberd to connect to LLDAP, whose connections are reverse proxied through a TLS-terminating TCP router (Traefik). The cert issued is a wildcard DNS-01 challenge type.

With strict SNI checking turned on (tls.options.default.sniStrict=true), LDAP fails with the above error.

Traefik's logs reveal the following line, which further indicate the issue:

<datetime> DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:216 > TLS: strict SNI enabled - No certificate found for domain: "", closing connection

Workaround

Either disable strict SNI on Traefik router, which works as ldap_tls_verify is false by default:

<datetime> DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

Or connect through plain LDAP in an isolated LAN (user-defined bridge network).

I'm not sure if sending hostname is the proper way to do LDAP. Please let me know if so.