You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Jason Keltz (Jira)" <ji...@apache.org> on 2022/01/03 17:48:00 UTC
[jira] [Created] (GUACAMOLE-1488) Guacamole 1.3.0 LDAP requires TLS 1.3
Jason Keltz created GUACAMOLE-1488:
--------------------------------------
Summary: Guacamole 1.3.0 LDAP requires TLS 1.3
Key: GUACAMOLE-1488
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1488
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-ldap
Affects Versions: 1.4.0
Reporter: Jason Keltz
I upgraded Guacamole 1.3.0 to 1.4.0. When I login, I get user "Invalid Login". Logs show missing TLS 1.3 is the problem:
{code:java}
10:27:47.985 [NioProcessor-1] DEBUG org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter sslFilter to the chain
10:27:47.987 [NioProcessor-1] DEBUG o.apache.mina.filter.ssl.SslHandler - Session Client[1](no sslEngine) Initializing the SSL Handler
10:27:47.996 [NioProcessor-1] WARN o.a.m.util.DefaultExceptionMonitor - Unexpected exception.
org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): sslFilter:SslFilter in (0x00000001: nio socket, client, /1.2.3.4:44642 => myldap.ca/1.2.3.4:636)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:465)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:234)
at org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:553)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.addNow(AbstractPollingIoProcessor.java:832)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.handleNewSessions(AbstractPollingIoProcessor.java:752)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:652)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: TLSv1.3
at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:177)
at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:458)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:463)
... 9 common frames omitted
10:28:18.005 [http-nio-8080-exec-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04177_CONNECTION_TIMEOUT (30000)
10:28:18.007 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "myldap.yorku.ca" as user "CN=guacamole,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca" failed: MSG_04177_CONNECTION_TIMEOUT (30000)
10:28:18.007 [http-nio-8080-exec-1] DEBUG o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server.{code}
Nick Couchman says: We updated the dependencies for just about everything, including the Apache Directory API. The latest version of the Apache LDAP API defaults to TLSv1.3:
[DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add TLSv1.3 to default protocols
I suspect this is what you're seeing. You can continue to use the 1.3 LDAP extension with Guacamole Client 1.4.0, so that'll work around it for now; however, looks like we may need to find a way to make this configurable. You're welcome to open a Jira issue for it - I'm sure adding an option for TLS version will be reasonably straight-forward.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)