Bug #14104
openGoogle LDAP connections still fail even after adding SNI for TLS 1.3
0%
Description
tested on 23.01 and with IPv6
After fixing https://redmine.pfsense.org/issues/11626 I see that the LDAP client is sending the SNI header during TLS negotiation ('Client_Hello.png') but Google LDAP connections still fail.
In PCAP I got 'Alert (Level: Fatal, Description: Unknown CA)' so looks like Google LDAP is still replying with a self-signed certificate that will not pass CA validation checks (https://support.google.com/a/answer/9190869)
Strange part is that I got no error if I run #ldapsearch -H ldaps://ldap.google.com -x -d1
ldap_url_parse_ext(ldaps://ldap.google.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap.google.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.google.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:4860:4802:32::3a 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 2, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS Root R1, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1
TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3, issuer: /C=US/O=Google Trust Services LLC/CN=GTS Root R1
TLS certificate verification: depth: 0, err: 0, subject: /CN=ldap.google.com, issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:TLSv1.3 read server certificate verify
TLS trace: SSL_connect:SSLv3/TLS read finished
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write finished
ldap_open_defconn: successful
Files