You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "shilky69 (Jira)" <ji...@apache.org> on 2022/07/13 14:32:00 UTC

[jira] [Commented] (GUACAMOLE-1488) Allow LDAP extension to configure TLS level

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17566349#comment-17566349 ] 

shilky69 commented on GUACAMOLE-1488:
-------------------------------------

Hello,

How did you show DEBUGs in the logs?
is it a specific setting or is it native?

Thanks

Cordially,

> Allow LDAP extension to configure TLS level
> -------------------------------------------
>
>                 Key: GUACAMOLE-1488
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1488
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Jason Keltz
>            Assignee: Nick Couchman
>            Priority: Major
>             Fix For: 1.6.0
>
>
> I upgraded Guacamole 1.3.0 to 1.4.0.  When I login, I get user "Invalid Login".  Logs show missing TLS 1.3 is the problem:
> {code:java}
> 10:27:47.985 [NioProcessor-1] DEBUG org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter sslFilter to the chain
> 10:27:47.987 [NioProcessor-1] DEBUG o.apache.mina.filter.ssl.SslHandler - Session Client[1](no sslEngine) Initializing the SSL Handler
> 10:27:47.996 [NioProcessor-1] WARN  o.a.m.util.DefaultExceptionMonitor - Unexpected exception.
> org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): sslFilter:SslFilter in (0x00000001: nio socket, client, /1.2.3.4:44642 => myldap.ca/1.2.3.4:636)
>         at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:465)
>         at org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:234)
>         at org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:553)
>         at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.addNow(AbstractPollingIoProcessor.java:832)
>         at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.handleNewSessions(AbstractPollingIoProcessor.java:752)
>         at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:652)
>         at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalArgumentException: TLSv1.3
>         at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
>         at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
>         at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
>         at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
>         at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:177)
>         at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:458)
>         at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:463)
>         ... 9 common frames omitted
> 10:28:18.005 [http-nio-8080-exec-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "myldap.yorku.ca" as user "CN=guacamole,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca" failed: MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] DEBUG o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server.{code}
> Nick Couchman says: We updated the dependencies for just about everything, including the Apache Directory API. The latest version of the Apache LDAP API defaults to TLSv1.3:
>     [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add TLSv1.3 to default protocols
> I suspect this is what you're seeing. You can continue to use the 1.3 LDAP extension with Guacamole Client 1.4.0, so that'll work around it for now; however, looks like we may need to find a way to make this configurable. You're welcome to open a Jira issue for it - I'm sure adding an option for TLS version will be reasonably straight-forward.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)