LDAPS fails on strict SNI, probably due to no hostname being sent

[skedastically]

Environment

• ejabberd version: 24.10.0 docker
• Erlang version: erl +V unsure
• OS: Linux (Alpine)
• Installed from: ghcr.io/processone/ejabberd

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

loglevel: debug
host_config:
  example.com:
    auth_method: [ldap]
    ldap_servers:
      - ldap.example.com
    ldap_port: 3890
    ldap_encrypt: tls
    ldap_tls_verify: false
    ldap_uids:
      - uid
    ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=com"
    ldap_password: "[redacted]"
    ldap_base: "ou=people,dc=example,dc=com"

Errors from error.log/crash.log

2024-11-10 14:14:41.385 [notice] TLS :client: In state :hello received SERVER ALERT: Fatal - Unrecognized Name

Bug description

I'm configuring ejabberd to connect to LLDAP, whose connections are reverse proxied through a TLS-terminating TCP router (Traefik). The cert issued is a wildcard DNS-01 challenge type.

With strict SNI checking turned on (tls.options.default.sniStrict=true), LDAP fails with the above error.

Traefik's logs reveal the following line, which further indicate the issue:

<datetime> DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:216 > TLS: strict SNI enabled - No certificate found for domain: "", closing connection

Workaround

Either disable strict SNI on Traefik router, which works as ldap_tls_verify is false by default:

<datetime> DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

Or connect through plain LDAP in an isolated LAN (user-defined bridge network).

---

I'm not sure if sending hostname is the proper way to do LDAP. Please let me know if so.