[GUACAMOLE-1488] Allow LDAP extension to configure TLS level - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 1.6.0
Component/s: Documentation, guacamole-auth-ldap
Labels:
None

Description

I upgraded Guacamole 1.3.0 to 1.4.0. When I login, I get user "Invalid Login". Logs show missing TLS 1.3 is the problem:

10:27:47.985 [NioProcessor-1] DEBUG org.apache.mina.filter.ssl.SslFilter - Adding the SSL Filter sslFilter to the chain
10:27:47.987 [NioProcessor-1] DEBUG o.apache.mina.filter.ssl.SslHandler - Session Client[1](no sslEngine) Initializing the SSL Handler
10:27:47.996 [NioProcessor-1] WARN  o.a.m.util.DefaultExceptionMonitor - Unexpected exception.
org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): sslFilter:SslFilter in (0x00000001: nio socket, client, /1.2.3.4:44642 => myldap.ca/1.2.3.4:636)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:465)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:234)
        at org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:553)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.addNow(AbstractPollingIoProcessor.java:832)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.handleNewSessions(AbstractPollingIoProcessor.java:752)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:652)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: TLSv1.3
        at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
        at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
        at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
        at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
        at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:177)
        at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:458)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:463)
        ... 9 common frames omitted
10:28:18.005 [http-nio-8080-exec-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04177_CONNECTION_TIMEOUT (30000)
10:28:18.007 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "myldap.yorku.ca" as user "CN=guacamole,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca" failed: MSG_04177_CONNECTION_TIMEOUT (30000)
10:28:18.007 [http-nio-8080-exec-1] DEBUG o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server.

Nick Couchman says: We updated the dependencies for just about everything, including the Apache Directory API. The latest version of the Apache LDAP API defaults to TLSv1.3:

~~DIRAPI-375~~https://issues.apache.org/jira/browse/DIRAPI-375) - Add TLSv1.3 to default protocols

I suspect this is what you're seeing. You can continue to use the 1.3 LDAP extension with Guacamole Client 1.4.0, so that'll work around it for now; however, looks like we may need to find a way to make this configurable. You're welcome to open a Jira issue for it - I'm sure adding an option for TLS version will be reasonably straight-forward.

Attachments

Activity

People

Assignee:: Nick Couchman

Reporter:: Jason Keltz

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 03/Jan/22 17:47

Updated:: 12/Dec/22 00:14