https://bugs.openldap.org/show_bug.cgi?id=10326
Issue ID: 10326 Summary: SNI passing requirements differ across TLS implementations Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: ondra@mistotebe.net Target Milestone: ---
mbedtls 3.6.3 has changed behaviour to correct a long standing issue where not setting a hostname meant hostname checking was disabled completely (CVE-2025-27809).
It seems that how we do SNI vs. basic certificate checking differs between TLS implementations and our logic in ldap_int_tls_connect and ti_session_connect.
This is also the reason test067-tls started failing on mbedtls builds.
https://bugs.openldap.org/show_bug.cgi?id=10326
--- Comment #1 from Howard Chu hyc@openldap.org --- From what I've read here https://nvd.nist.gov/vuln/detail/CVE-2025-27809 and the discussion in the mbedtls issue https://github.com/Mbed-TLS/mbedtls/issues/466 this isn't really a security concern for OpenLDAP since we always use our own hostname checking code anyway. https://git.openldap.org/openldap/openldap/-/blob/master/libraries/libldap/t...
What fails in test067?
https://bugs.openldap.org/show_bug.cgi?id=10326
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.6.11
--- Comment #2 from Ondřej Kuzník ondra@mistotebe.net --- AFAIK when I looked into it, ldapsearch's connection was terminated by mbedtls returning an error if mbedtls_ssl_set_hostname() wasn't called by the time it came to TLS negotiation. Something to that effect.
https://bugs.openldap.org/show_bug.cgi?id=10326
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.11 |2.7.0 Keywords|needs_review | Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=10326
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #3 from Howard Chu hyc@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/764
test067 passes with mbedtls-3.6.3
-
openldap-its@openldap.org