2009533 – Backport TLS SNI feature from OpenLDAP 2.5

Bug 2009533 - Backport TLS SNI feature from OpenLDAP 2.5

Summary: Backport TLS SNI feature from OpenLDAP 2.5

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openldap
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Simon Pichugin
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:	1999036
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-30 21:49 UTC by Simon Pichugin
Modified:	2021-10-04 00:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openldap-2.4.59-3.fc35
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1999036
Environment:
Last Closed:	2021-10-04 00:15:46 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	IDMDS-1688	0	None	None	None	2021-09-30 21:50:24 UTC

Description Simon Pichugin 2021-09-30 21:49:10 UTC

+++ This bug was initially created as a clone of Bug #1999036 +++

Description of problem:
OpenLDAP 2.4's libldap client library does not send a server name indication (SNI) TLS extension during the TLS handshake. The SNI extension is useful for virtual hosting and application-level routing. For example OpenShift's ingress router can route any traffic that uses TLS with SNI.

OpenLDAP added TLS SNI feature in 2.5 in upstream ticket ITS#9176.

Version-Release number of selected component (if applicable):
All OpenLDAP 2.4 releases

How reproducible:
always

Steps to Reproduce:
1. Use any tool like ldapsearch with ldaps:// URI
2. sniff traffic on port 636/TCP

Actual results:
ClientHello does not have a SNI extension

Expected results:
ClientHello contains a SNI extension for hostname of LDAP server.

Additional info:
https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html

Related upstream commits:
5c0efb9ce83db383631ce79e8f246d73c33b9ab3
b8f34888c3c72e67e822843a9a83b83562f68e79
4265849b0f1e5e2f65da6fea603b7b66a2c9fbc1
e96f90e21229f9d83129db0da017e0fe5a0a27c8

Patch: https://github.com/openldap/openldap/compare/OPENLDAP_REL_ENG_2_4...tiran:sni_2_4.patch

--- Additional comment from Christian Heimes on 2021-09-14 08:13:43 UTC ---

I have tested your scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=75616846 . Wireshark's command line tool shows that the client library is sending a TLS SNI extension with correct hostname. The unpatched version openldap-2.4.59-3.fc35.x86_64 does not send the TLS SNI extension.

# rpm -qa openldap
openldap-2.4.59-3.fc35.x86_64
# LDAPTLS_REQCERT=never ldapsearch -H ldaps://ipa.demo1.freeipa.org -b "" -s base -x > /dev/null

# tshark -Y tls.handshake.type==1 -T fields -e tls.handshake.extensions_server_name -f "port 636"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
ipa.demo1.freeipa.org

Comment 1 Fedora Update System 2021-10-01 15:29:52 UTC

FEDORA-2021-76cf042914 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-76cf042914

Comment 2 Fedora Update System 2021-10-02 02:23:14 UTC

FEDORA-2021-76cf042914 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-76cf042914`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-76cf042914

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2021-10-04 00:15:46 UTC

FEDORA-2021-76cf042914 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.