You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "shilky69 (Jira)" <ji...@apache.org> on 2022/07/13 14:32:00 UTC
[jira] [Commented] (GUACAMOLE-1488) Allow LDAP extension to configure TLS level
[ https://issues.apache.org/jira/browse/GUACAMOLE-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17566349#comment-17566349 ]
shilky69 commented on GUACAMOLE-1488:
-------------------------------------
Hello,
How did you show DEBUGs in the logs?
is it a specific setting or is it native?
Thanks
Cordially,
> Allow LDAP extension to configure TLS level
> -------------------------------------------
>
> Key: GUACAMOLE-1488
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1488
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Jason Keltz
> Assignee: Nick Couchman
> Priority: Major
> Fix For: 1.6.0
>
>
> I upgraded Guacamole 1.3.0 to 1.4.0. When I login, I get user "Invalid Login". Logs show missing TLS 1.3 is the problem:
> {code:java}
> 10:27:47.985 [NioProcessor-1] DEBUG org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter sslFilter to the chain
> 10:27:47.987 [NioProcessor-1] DEBUG o.apache.mina.filter.ssl.SslHandler - Session Client[1](no sslEngine) Initializing the SSL Handler
> 10:27:47.996 [NioProcessor-1] WARN o.a.m.util.DefaultExceptionMonitor - Unexpected exception.
> org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): sslFilter:SslFilter in (0x00000001: nio socket, client, /1.2.3.4:44642 => myldap.ca/1.2.3.4:636)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:465)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:234)
> at org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:553)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.addNow(AbstractPollingIoProcessor.java:832)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.handleNewSessions(AbstractPollingIoProcessor.java:752)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:652)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalArgumentException: TLSv1.3
> at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
> at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
> at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
> at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
> at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:177)
> at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:458)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:463)
> ... 9 common frames omitted
> 10:28:18.005 [http-nio-8080-exec-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "myldap.yorku.ca" as user "CN=guacamole,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca" failed: MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] DEBUG o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server.{code}
> Nick Couchman says: We updated the dependencies for just about everything, including the Apache Directory API. The latest version of the Apache LDAP API defaults to TLSv1.3:
> [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add TLSv1.3 to default protocols
> I suspect this is what you're seeing. You can continue to use the 1.3 LDAP extension with Guacamole Client 1.4.0, so that'll work around it for now; however, looks like we may need to find a way to make this configurable. You're welcome to open a Jira issue for it - I'm sure adding an option for TLS version will be reasonably straight-forward.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)