[
https://issues.apache.org/jira/browse/GUACAMOLE-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman closed GUACAMOLE-1488.
------------------------------------
Resolution: Implemented
> Allow LDAP extension to configure TLS level
> -------------------------------------------
>
> Key: GUACAMOLE-1488
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1488
> Project: Guacamole
> Issue Type: Improvement
> Components: Documentation, guacamole-auth-ldap
> Reporter: Jason Keltz
> Assignee: Nick Couchman
> Priority: Major
> Fix For: 1.6.0
>
>
> I upgraded Guacamole 1.3.0 to 1.4.0. When I login, I get user "Invalid
> Login". Logs show missing TLS 1.3 is the problem:
> {code:java}
> 10:27:47.985 [NioProcessor-1] DEBUG org.apache.mina.filter.ssl.SslFilter -
> Adding the SSL Filter sslFilter to the chain
> 10:27:47.987 [NioProcessor-1] DEBUG o.apache.mina.filter.ssl.SslHandler -
> Session Client[1](no sslEngine) Initializing the SSL Handler
> 10:27:47.996 [NioProcessor-1] WARN o.a.m.util.DefaultExceptionMonitor -
> Unexpected exception.
> org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd():
> sslFilter:SslFilter in (0x00000001: nio socket, client, /1.2.3.4:44642 =>
> myldap.ca/1.2.3.4:636)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:465)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:234)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:553)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.addNow(AbstractPollingIoProcessor.java:832)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.handleNewSessions(AbstractPollingIoProcessor.java:752)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:652)
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalArgumentException: TLSv1.3
> at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
> at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
> at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
> at
> sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
> at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:177)
> at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:458)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:463)
> ... 9 common frames omitted
> 10:28:18.005 [http-nio-8080-exec-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection
> - MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService
> - Binding with the LDAP server at "myldap.yorku.ca" as user
> "CN=guacamole,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca" failed:
> MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] DEBUG o.a.g.a.ldap.LDAPConnectionService
> - Unable to bind to LDAP server.{code}
> Nick Couchman says: We updated the dependencies for just about everything,
> including the Apache Directory API. The latest version of the Apache LDAP API
> defaults to TLSv1.3:
> [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add
> TLSv1.3 to default protocols
> I suspect this is what you're seeing. You can continue to use the 1.3 LDAP
> extension with Guacamole Client 1.4.0, so that'll work around it for now;
> however, looks like we may need to find a way to make this configurable.
> You're welcome to open a Jira issue for it - I'm sure adding an option for
> TLS version will be reasonably straight-forward.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
