Project

General

Profile

Actions

Bug #19896

closed

Option to configure acceptable TLS versions for LDAP

Added by Peter Amstutz almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Story points:
0.5
Release relationship:
Auto

Description

User is unable to log in on their cluster, getting this error:

LDAP Result Code 200 "Network Error": TLS handshake failed (tls: server selected unsupported protocol version 301)

They have reported that the server only supports TLS 1.1 and that the IT department intends to upgrade but has not done so yet.

What happened between Arvados 2.4 and 2.5 is that the Go TLS client got more strict by default -- documented here https://go.dev/doc/go1.18#tls10

We should provide an option (off by default) to relax the TLS client version check.

Workaround

The short term fix is to set "GODEBUG=tls10default=1" in "/etc/arvados/environment". We should add this to release notes.


Subtasks 1 (0 open1 closed)

Task #19902: Review 19896-ldap-tls-downgradeResolvedLucas Di Pentima01/05/2023Actions
Actions #1

Updated by Peter Amstutz almost 2 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Peter Amstutz almost 2 years ago

  • Category set to API
Actions #3

Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)
Actions #4

Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)
Actions #6

Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)
Actions #7

Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)
Actions #8

Updated by Peter Amstutz almost 2 years ago

  • Target version changed from 2023-01-18 sprint to 2023-02-01 sprint
Actions #9

Updated by Tom Clegg almost 2 years ago

  • Assigned To set to Tom Clegg
Actions #10

Updated by Peter Amstutz almost 2 years ago

  • Target version changed from 2023-02-01 sprint to 2023-01-18 sprint
Actions #11

Updated by Lucas Di Pentima almost 2 years ago

A couple of questions:

  • If StartTLS is true, the MinVersion is set only when Insecure mode is ON, is that on purpose? Wouldn't that be needed regardless of the insecure setting? I understand that using a TLS version less than 1.2 is insecure by now, but what feels confusing to me is the difference in behavior between using "ldaps://..." and StartTLS.
  • Do you think it would be a good idea to make controller somewhat hint the cluster admin what is the issue and how to fix it in the logs when there's a TLS version mismatch on user login?

The rest LGTM.

Actions #12

Updated by Tom Clegg almost 2 years ago

  • If StartTLS is true, the MinVersion is set only when Insecure mode is ON, is that on purpose?

Oops, no. Fixed.

  • Do you think it would be a good idea to make controller somewhat hint the cluster admin what is the issue and how to fix it in the logs when there's a TLS version mismatch on user login?

Yes. Added the error message to config.default.yml and I suppose mentioning the actual config knob here might make this issue page more helpful when a search for the error message leads here.

        # Mininum TLS version to negotiate when connecting to server                                                                             
        # (ldaps://... or StartTLS). It may be necessary to set this                                                                             
        # to "1.1" for compatibility with older LDAP servers that fail                                                                           
        # with 'LDAP Result Code 200 "Network Error": TLS handshake                                                                              
        # failed (tls: server selected unsupported protocol version                                                                              
        # 301)'.                                                                                                                                 
        #                                                                                                                                        
        # If blank, use the recommended minimum version (1.2).                                                                                   
        MinTLSVersion: "" 

19896-ldap-tls-downgrade @ 7432df3ab18b66c2a5dac1f18c9e8b1d7a388558 -- developer-run-tests: #3445

Actions #13

Updated by Lucas Di Pentima almost 2 years ago

This LGTM, thanks!

Actions #14

Updated by Tom Clegg almost 2 years ago

  • Status changed from In Progress to Resolved
Actions #15

Updated by Tom Clegg almost 2 years ago

  • Story points set to 0.5
Actions #16

Updated by Peter Amstutz almost 2 years ago

  • Release set to 57
Actions

Also available in: Atom PDF