Bug 1999036 - Backport TLS SNI feature from OpenLDAP 2.5
Summary: Backport TLS SNI feature from OpenLDAP 2.5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 34
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: ---
Assignee: Simon Pichugin
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 2009533 2009534
TreeView+ depends on / blocked
 
Reported: 2021-08-30 09:49 UTC by Christian Heimes
Modified: 2021-10-16 20:43 UTC (History)
4 users (show)

Fixed In Version: openldap-2.4.57-6.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2009533 2009534 (view as bug list)
Environment:
Last Closed: 2021-10-16 20:43:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Backport patch (6.41 KB, application/mbox)
2021-08-30 09:49 UTC, Christian Heimes 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker IDMDS-1685 0 None None None 2021-09-29 15:58:32 UTC

Description Christian Heimes 2021-08-30 09:49:19 UTC 
Created attachment 1819041 [details]
Backport patch

Description of problem:
OpenLDAP 2.4's libldap client library does not send a server name indication (SNI) TLS extension during the TLS handshake. The SNI extension is useful for virtual hosting and application-level routing. For example OpenShift's ingress router can route any traffic that uses TLS with SNI.

OpenLDAP added TLS SNI feature in 2.5 in upstream ticket ITS#9176.

Version-Release number of selected component (if applicable):
All OpenLDAP 2.4 releases

How reproducible:
always

Steps to Reproduce:
1. Use any tool like ldapsearch with ldaps:// URI
2. sniff traffic on port 636/TCP

Actual results:
ClientHello does not have a SNI extension

Expected results:
ClientHello contains a SNI extension for hostname of LDAP server.

Additional info:
https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html

Related upstream commits:
5c0efb9ce83db383631ce79e8f246d73c33b9ab3
b8f34888c3c72e67e822843a9a83b83562f68e79
4265849b0f1e5e2f65da6fea603b7b66a2c9fbc1
e96f90e21229f9d83129db0da017e0fe5a0a27c8

Patch: https://github.com/openldap/openldap/compare/OPENLDAP_REL_ENG_2_4...tiran:sni_2_4.patch
Comment 1 Christian Heimes 2021-09-14 08:13:43 UTC 
I have tested your scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=75616846 . Wireshark's command line tool shows that the client library is sending a TLS SNI extension with correct hostname. The unpatched version openldap-2.4.59-3.fc35.x86_64 does not send the TLS SNI extension.

# rpm -qa openldap
openldap-2.4.59-3.fc35.x86_64
# LDAPTLS_REQCERT=never ldapsearch -H ldaps://ipa.demo1.freeipa.org -b "" -s base -x > /dev/null

# tshark -Y tls.handshake.type==1 -T fields -e tls.handshake.extensions_server_name -f "port 636"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
ipa.demo1.freeipa.org
Comment 2 Fedora Update System 2021-10-01 15:32:11 UTC 
FEDORA-2021-9f40bdf3be has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9f40bdf3be
Comment 3 Fedora Update System 2021-10-02 01:07:27 UTC 
FEDORA-2021-9f40bdf3be has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9f40bdf3be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9f40bdf3be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2021-10-16 20:43:28 UTC 
FEDORA-2021-9f40bdf3be has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.