Bug #19896
closed
Option to configure acceptable TLS versions for LDAP
Description
User is unable to log in on their cluster, getting this error:
LDAP Result Code 200 "Network Error": TLS handshake failed (tls: server selected unsupported protocol version 301)
They have reported that the server only supports TLS 1.1 and that the IT department intends to upgrade but has not done so yet.
What happened between Arvados 2.4 and 2.5 is that the Go TLS client got more strict by default -- documented here https://go.dev/doc/go1.18#tls10
We should provide an option (off by default) to relax the TLS client version check.
Workaround¶
The short term fix is to set "GODEBUG=tls10default=1" in "/etc/arvados/environment". We should add this to release notes.
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2023-01-18 sprint to 2023-02-01 sprint
Updated by Tom Clegg over 1 year ago
- Assigned To set to Tom Clegg
19896-ldap-tls-downgrade @ 37710c707e0f7b0a57a836ff8cc42dd0c5f762ff -- developer-run-tests: #3435
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2023-02-01 sprint to 2023-01-18 sprint
Updated by Lucas Di Pentima over 1 year ago
A couple of questions:
- If
StartTLSis true, theMinVersionis set only when Insecure mode is ON, is that on purpose? Wouldn't that be needed regardless of the insecure setting? I understand that using a TLS version less than 1.2 is insecure by now, but what feels confusing to me is the difference in behavior between using"ldaps://..."andStartTLS. - Do you think it would be a good idea to make controller somewhat hint the cluster admin what is the issue and how to fix it in the logs when there's a TLS version mismatch on user login?
The rest LGTM.
Updated by Tom Clegg over 1 year ago
- If
StartTLSis true, theMinVersionis set only when Insecure mode is ON, is that on purpose?
Oops, no. Fixed.
- Do you think it would be a good idea to make controller somewhat hint the cluster admin what is the issue and how to fix it in the logs when there's a TLS version mismatch on user login?
Yes. Added the error message to config.default.yml and I suppose mentioning the actual config knob here might make this issue page more helpful when a search for the error message leads here.
# Mininum TLS version to negotiate when connecting to server
# (ldaps://... or StartTLS). It may be necessary to set this
# to "1.1" for compatibility with older LDAP servers that fail
# with 'LDAP Result Code 200 "Network Error": TLS handshake
# failed (tls: server selected unsupported protocol version
# 301)'.
#
# If blank, use the recommended minimum version (1.2).
MinTLSVersion: ""
19896-ldap-tls-downgrade @ 7432df3ab18b66c2a5dac1f18c9e8b1d7a388558 -- developer-run-tests: #3445
Updated by Tom Clegg over 1 year ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|239c836b35b385d1ab2384e3b1576e39a5797622.