Created attachment 1819041 [details] Backport patch Description of problem: OpenLDAP 2.4's libldap client library does not send a server name indication (SNI) TLS extension during the TLS handshake. The SNI extension is useful for virtual hosting and application-level routing. For example OpenShift's ingress router can route any traffic that uses TLS with SNI. OpenLDAP added TLS SNI feature in 2.5 in upstream ticket ITS#9176. Version-Release number of selected component (if applicable): All OpenLDAP 2.4 releases How reproducible: always Steps to Reproduce: 1. Use any tool like ldapsearch with ldaps:// URI 2. sniff traffic on port 636/TCP Actual results: ClientHello does not have a SNI extension Expected results: ClientHello contains a SNI extension for hostname of LDAP server. Additional info: https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html Related upstream commits: 5c0efb9ce83db383631ce79e8f246d73c33b9ab3 b8f34888c3c72e67e822843a9a83b83562f68e79 4265849b0f1e5e2f65da6fea603b7b66a2c9fbc1 e96f90e21229f9d83129db0da017e0fe5a0a27c8 Patch: https://github.com/openldap/openldap/compare/OPENLDAP_REL_ENG_2_4...tiran:sni_2_4.patch
I have tested your scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=75616846 . Wireshark's command line tool shows that the client library is sending a TLS SNI extension with correct hostname. The unpatched version openldap-2.4.59-3.fc35.x86_64 does not send the TLS SNI extension. # rpm -qa openldap openldap-2.4.59-3.fc35.x86_64 # LDAPTLS_REQCERT=never ldapsearch -H ldaps://ipa.demo1.freeipa.org -b "" -s base -x > /dev/null # tshark -Y tls.handshake.type==1 -T fields -e tls.handshake.extensions_server_name -f "port 636" Running as user "root" and group "root". This could be dangerous. Capturing on 'eth0' ipa.demo1.freeipa.org
FEDORA-2021-9f40bdf3be has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9f40bdf3be
FEDORA-2021-9f40bdf3be has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9f40bdf3be` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9f40bdf3be See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-9f40bdf3be has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.