Bug 2009534

Summary: Backport TLS SNI feature from OpenLDAP 2.5
Product: [Fedora] Fedora Reporter: Simon Pichugin <spichugi>
Component: openldapAssignee: Simon Pichugin <spichugi>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: cheimes, extras-qa, lance, spichugi, tbordaz, vashirov
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: openldap-2.4.59-4.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1999036 Environment:
Last Closed: 2021-12-01 02:16:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1999036    
Bug Blocks:    

Description Simon Pichugin 2021-09-30 21:49:19 UTC 
+++ This bug was initially created as a clone of Bug #1999036 +++

Description of problem:
OpenLDAP 2.4's libldap client library does not send a server name indication (SNI) TLS extension during the TLS handshake. The SNI extension is useful for virtual hosting and application-level routing. For example OpenShift's ingress router can route any traffic that uses TLS with SNI.

OpenLDAP added TLS SNI feature in 2.5 in upstream ticket ITS#9176.

Version-Release number of selected component (if applicable):
All OpenLDAP 2.4 releases

How reproducible:
always

Steps to Reproduce:
1. Use any tool like ldapsearch with ldaps:// URI
2. sniff traffic on port 636/TCP

Actual results:
ClientHello does not have a SNI extension

Expected results:
ClientHello contains a SNI extension for hostname of LDAP server.

Additional info:
https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html

Related upstream commits:
5c0efb9ce83db383631ce79e8f246d73c33b9ab3
b8f34888c3c72e67e822843a9a83b83562f68e79
4265849b0f1e5e2f65da6fea603b7b66a2c9fbc1
e96f90e21229f9d83129db0da017e0fe5a0a27c8

Patch: https://github.com/openldap/openldap/compare/OPENLDAP_REL_ENG_2_4...tiran:sni_2_4.patch

--- Additional comment from Christian Heimes on 2021-09-14 08:13:43 UTC ---

I have tested your scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=75616846 . Wireshark's command line tool shows that the client library is sending a TLS SNI extension with correct hostname. The unpatched version openldap-2.4.59-3.fc35.x86_64 does not send the TLS SNI extension.

# rpm -qa openldap
openldap-2.4.59-3.fc35.x86_64
# LDAPTLS_REQCERT=never ldapsearch -H ldaps://ipa.demo1.freeipa.org -b "" -s base -x > /dev/null

# tshark -Y tls.handshake.type==1 -T fields -e tls.handshake.extensions_server_name -f "port 636"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
ipa.demo1.freeipa.org
Comment 1 Simon Pichugin 2021-12-01 02:16:52 UTC 
Closed as the fix is in the current version - https://src.fedoraproject.org/rpms/openldap/c/005aba9f80f084ae4c6a0b8ec05670009f1854e4?branch=rawhide