starred/lldap-lldap

Fork 0

mirror of https://github.com/lldap/lldap.git synced 2026-04-26 00:36:01 +03:00

[GH-ISSUE #691] LDAPS with jellyfin does not work #245

New issue

Closed

opened 2026-02-27 08:16:07 +03:00 by kerem · 6 comments

kerem commented

2026-02-27 08:16:07 +03:00

Owner

Originally created by @magns12 on GitHub (Sep 25, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/691

Hey,
LDAP is working fine but if i change the port and check Skip SSL/TLS Verification and Secure LDAP, this error occurs in docker log:

2023-09-25T23:02:33.723564592+00:00  WARN     🚧 [warn]: Illegal SNI hostname received [49, 48, 46, 49, 48, 46, 49, 48, 46, 49, 48, 57] | log.target: "rustls::msgs::handshake" | log.module_path: "rustls::msgs::handshake" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/msgs/handshake.rs" | log.line: 271
2023-09-25T23:02:33.723613818+00:00  WARN     🚧 [warn]: Sending fatal alert DecodeError | log.target: "rustls::conn" | log.module_path: "rustls::conn" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/conn.rs" | log.line: 1332
2023-09-25T23:02:33.723736451+00:00  ERROR    🚨 [error]: [LDAPS] Service Error: received corrupt message of type Handshake

Originally created by @magns12 on GitHub (Sep 25, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/691 Hey, LDAP is working fine but if i change the port and check Skip SSL/TLS Verification and Secure LDAP, this error occurs in docker log: ``` 2023-09-25T23:02:33.723564592+00:00 WARN 🚧 [warn]: Illegal SNI hostname received [49, 48, 46, 49, 48, 46, 49, 48, 46, 49, 48, 57] | log.target: "rustls::msgs::handshake" | log.module_path: "rustls::msgs::handshake" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/msgs/handshake.rs" | log.line: 271 2023-09-25T23:02:33.723613818+00:00 WARN 🚧 [warn]: Sending fatal alert DecodeError | log.target: "rustls::conn" | log.module_path: "rustls::conn" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/conn.rs" | log.line: 1332 2023-09-25T23:02:33.723736451+00:00 ERROR 🚨 [error]: [LDAPS] Service Error: received corrupt message of type Handshake ```

kerem closed this issue

2026-02-27 08:16:07 +03:00

kerem commented

2026-02-27 08:16:08 +03:00

Author

Owner

@nitnelave commented on GitHub (Sep 26, 2023):

The error you get is a TLS error, more specifically a wrong SNI hostname. In short, from what I could gather, you have a certificate for LLDAP that is for the hostname example.com, but you try to access it with a different hostname (in this case, I believe that it's an IP address, 10.10.10.109). The TLS stack checks that it matches the name in the certificate, and it doesn't, so the handshake fails.

How did you configure Jellyfin? What name is in your certificate?

@nitnelave commented on GitHub (Sep 26, 2023): The error you get is a TLS error, more specifically a wrong SNI hostname. In short, from what I could gather, you have a certificate for LLDAP that is for the hostname example.com, but you try to access it with a different hostname (in this case, I believe that it's an IP address, 10.10.10.109). The TLS stack checks that it matches the name in the certificate, and it doesn't, so the handshake fails. How did you configure Jellyfin? What name is in your certificate?

kerem commented

2026-02-27 08:16:08 +03:00

Author

Owner

@magns12 commented on GitHub (Sep 27, 2023):

You're probably right! The certificate is issued to myinternalsite.net and *.myinternalsite.net. Is it somehow possible to disable the SNI check? If I use the Domain instead of the direct IP the request will get routed

@magns12 commented on GitHub (Sep 27, 2023): You're probably right! The certificate is issued to myinternalsite.net and *.myinternalsite.net. Is it somehow possible to disable the SNI check? If I use the Domain instead of the direct IP the request will get routed

kerem commented

2026-02-27 08:16:08 +03:00

Author

Owner

@magns12 commented on GitHub (Sep 27, 2023):

Missclicked...

@magns12 commented on GitHub (Sep 27, 2023): Missclicked...

kerem commented

2026-02-27 08:16:08 +03:00

Author

Owner

@nitnelave commented on GitHub (Sep 27, 2023):

Hmm, I'd like to avoid adding yet another option to LLDAP, especially to reduce security.
I don't know about your setup, but you can probably route the request locally even with the hostname. A local iptable configuration, a docker setting, something along these lines should work.

@nitnelave commented on GitHub (Sep 27, 2023): Hmm, I'd like to avoid adding yet another option to LLDAP, especially to reduce security. I don't know about your setup, but you can probably route the request locally even with the hostname. A local iptable configuration, a docker setting, something along these lines should work.

kerem commented

2026-02-27 08:16:08 +03:00

Author

Owner

@magns12 commented on GitHub (Oct 1, 2023):

Understandable, I added a subdomain on my DNS which points to the 10.10.10.109 as a workaround.
Thanks!

@magns12 commented on GitHub (Oct 1, 2023): Understandable, I added a subdomain on my DNS which points to the 10.10.10.109 as a workaround. Thanks!

kerem commented

2026-02-27 08:16:08 +03:00

Author

Owner

@yloose commented on GitHub (Jul 15, 2024):

Just some info for anyone else having this issue. I was having the same problem recently and was wondering why it was broken with jellyfin, but working with all my other ldap clients as well as with ldapsearch. It seems to be related to the fact that jellyfin sends a SNI - as nitnelave has already mentioned - that does not match the certificate. Ldapsearch however seems to simply omit the tls sni extension, causing it to work. Here are some wireshark captures

@yloose commented on GitHub (Jul 15, 2024): Just some info for anyone else having this issue. I was having the same problem recently and was wondering why it was broken with jellyfin, but working with all my other ldap clients as well as with ldapsearch. It seems to be related to the fact that jellyfin sends a SNI - as nitnelave has already mentioned - that does not match the certificate. Ldapsearch however seems to simply omit the tls sni extension, causing it to work. Here are some wireshark captures ![Not working](https://github.com/user-attachments/assets/85f999c0-f0ce-4768-b4a6-fb0e60f34d6a) ![Working](https://github.com/user-attachments/assets/401a6ef0-47ac-4893-acc1-769e681fe9f1)