ejabberd
ejabberd copied to clipboard
processone
LDAPS fails on strict SNI, probably due to no hostname being sent
Environment
- ejabberd version: 24.10.0 docker
- Erlang version:
erl +Vunsure - OS: Linux (Alpine)
- Installed from: ghcr.io/processone/ejabberd
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
loglevel: debug
host_config:
example.com:
auth_method: [ldap]
ldap_servers:
- ldap.example.com
ldap_port: 3890
ldap_encrypt: tls
ldap_tls_verify: false
ldap_uids:
- uid
ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=com"
ldap_password: "[redacted]"
ldap_base: "ou=people,dc=example,dc=com"
Errors from error.log/crash.log
2024-11-10 14:14:41.385 [notice] TLS :client: In state :hello received SERVER ALERT: Fatal - Unrecognized Name
Bug description
I'm configuring ejabberd to connect to LLDAP, whose connections are reverse proxied through a TLS-terminating TCP router (Traefik). The cert issued is a wildcard DNS-01 challenge type.
With strict SNI checking turned on (tls.options.default.sniStrict=true), LDAP fails with the above error.
Traefik's logs reveal the following line, which further indicate the issue:
<datetime> DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:216 > TLS: strict SNI enabled - No certificate found for domain: "", closing connection
Workaround
Either disable strict SNI on Traefik router, which works as ldap_tls_verify is false by default:
<datetime> DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
Or connect through plain LDAP in an isolated LAN (user-defined bridge network).
I'm not sure if sending hostname is the proper way to do LDAP. Please let me know if so.
