New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Issue: Could not negotiate a supported cipher suite.. #17
Comments
It looks like openldap required cipher suite can't be satisfied by your host. The other option is to be more permissive on the cipher suite : Note that by default the tls configuration also require a client certificate so if you conform with the cipher suite you will probably have an other issue right away. if you don't want to check client certificate also change |
More help: |
A new version of the image is now available: 1.0.2 It's offer new TLS environment variables that make TLS configuration more customizable. with the new image you can try :
and
does it solve this issue ? |
Hi,
Makes sense as you generate a self signed certificate that I dont trust on the client. |
Ran into the same issue, only I was providing my own |
Thanks for the env variables LDAP_TLS_CIPHER_SUITE and LDAP_TLS_VERIFY_CLIENT, I had a similar situation and it worked once I set these variable as suggested. |
I'm hitting this issue as well and can't seem to get it working even with the added options of... On the client side, I'm running ldapsearch -d 1 -H ldaps://my-openldap:636 -Z and getting... A TLS packet with unexpected length was received On the server side i'm seeing... TLS: Can't accept: Could not negotiate a supported cipher suite.. Any thoughts? |
My issue ended up being that gnutls/openssl on my server were not updated enough to support TLS_PROTOCOL_MIN 3.0 and the Normal Cipher (SECURE192:+VERS-SSL3.0) The symptom is as following: openssl s_client -connect [client address and port] but slapd log shows the error message using ldapsearch -H ldaps://xxx TLS: unsupported cipher xxx Ended up setting LDAP_TLS_VERIFY_CLIENT=never not the greatest security but was able to get the authentication going without issues. |
@rudyzhou2 thanks for your feedback :) |
Amazing container, made my ldap life so much easier! Thank you so much, really appreciate it! |
I'd like to reopen this. Even downgrading the settings for TLS as above (and checking that I have those available), did not solve this for me. I still get the same error: "ignoring dhfile". |
Any updates on those problems? |
Out of the box 1.1.8 image fails on for |
Just in case that still in question here, e.g. for getting the LDAPS connection to work with nexus reporstory manager i had to add NORMAL: to SECURE256:-VERS-SSL3.0, so NORMAL:SECURE256:-VERS-SSL3.0 startTLS will work with SECURE256:-VERS-SSL3.0 though on other clients. So maybe the default is a bit too tight, but maybe there is no such thing. You might just want the cipher selection to be part of the primary steps in the docs, since the clients are not too verbose about the connection issue and people could take a while. My client did not say anything, but the server logs did. |
Any update? |
When I run the latest image with:
And i try to search on the directory over LDAPS with:
I get to following log output and TLS negotiation failure:
I also tried to connect over ldaps:// with:
But I got the same "Could not negotiate a supported cipher suite.." exception.
Is there anything I've done wrong or is there an issue with the image?
The text was updated successfully, but these errors were encountered: