Invalid certificates when using Google Secure LDAP due to lack of SNI support in net/ldap library.
Summary
Customer (internal) filed an issue (internal) when configuring Google Secure LDAP:
# gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
<SNIPPED>
Server: ldapsecondary
Exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
Checking LDAP ... Finished
The error is with regards to a self signed certificate. Based on the documentation for Google Secure LDAP:
The Secure LDAP service requires a TLS client that supports and initiates a TLS session using SNI (Server Name Indication). If the TLS client does not support SNI, then the TLS server (ldap.google.com) returns a self-signed certificate that will not pass CA validation checks, to indicate that SNI is required.
To verify this, I asked the customer to add the self-signed certificate that Google is serving when SNI is not enabled in the client. And add it to the tls_options.ca_file
in the LDAP section of their configuration.
The error changed to:
# gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
<SNIPPED>
Server: ldapsecondary
Exception: hostname "ldap.google.com" does not match the server certificate
Checking LDAP ... Finished
This verifies that our LDAP library is not configured to use SNI.
Steps to reproduce
Configure Google Secure LDAP as specified in our documentation: https://docs.gitlab.com/ee/administration/auth/ldap/google_secure_ldap.html
What is the current bug behavior?
Fails with an error:
Exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
What is the expected correct behavior?
Should successfully connect to Google Secure LDAP.
Relevant logs and/or screenshots
# gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
<SNIPPED>
Server: ldapsecondary
Exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)
Checking LDAP ... Finished
Possible fixes
Explicitly set OpenSSL::SSL::SSLSocket#hostname=
before connecting to the LDAP server. I think it can be added in this line: https://gitlab.com/gitlab-org/omniauth-ldap/-/blob/master/lib/omniauth-ldap/adaptor.rb#L211
UPDATE: Change might need to come from the net/ldap
library: #227511 (comment 971902283)