Bug #19896
closed
Option to configure acceptable TLS versions for LDAP
Added by Peter Amstutz almost 2 years ago.
Updated almost 2 years ago.
Release relationship:
Auto
Description
User is unable to log in on their cluster, getting this error:
LDAP Result Code 200 "Network Error": TLS handshake failed (tls: server selected unsupported protocol version 301)
They have reported that the server only supports TLS 1.1 and that the IT department intends to upgrade but has not done so yet.
What happened between Arvados 2.4 and 2.5 is that the Go TLS client got more strict by default -- documented here https://go.dev/doc/go1.18#tls10
We should provide an option (off by default) to relax the TLS client version check.
Workaround¶
The short term fix is to set "GODEBUG=tls10default=1" in "/etc/arvados/environment". We should add this to release notes.
- Status changed from New to In Progress
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Target version changed from 2023-01-18 sprint to 2023-02-01 sprint
- Assigned To set to Tom Clegg
- Target version changed from 2023-02-01 sprint to 2023-01-18 sprint
A couple of questions:
- If
StartTLS is true, the MinVersion is set only when Insecure mode is ON, is that on purpose? Wouldn't that be needed regardless of the insecure setting? I understand that using a TLS version less than 1.2 is insecure by now, but what feels confusing to me is the difference in behavior between using "ldaps://..." and StartTLS.
- Do you think it would be a good idea to make controller somewhat hint the cluster admin what is the issue and how to fix it in the logs when there's a TLS version mismatch on user login?
The rest LGTM.
- If
StartTLS is true, the MinVersion is set only when Insecure mode is ON, is that on purpose?
Oops, no. Fixed.
- Do you think it would be a good idea to make controller somewhat hint the cluster admin what is the issue and how to fix it in the logs when there's a TLS version mismatch on user login?
Yes. Added the error message to config.default.yml and I suppose mentioning the actual config knob here might make this issue page more helpful when a search for the error message leads here.
# Mininum TLS version to negotiate when connecting to server
# (ldaps://... or StartTLS). It may be necessary to set this
# to "1.1" for compatibility with older LDAP servers that fail
# with 'LDAP Result Code 200 "Network Error": TLS handshake
# failed (tls: server selected unsupported protocol version
# 301)'.
#
# If blank, use the recommended minimum version (1.2).
MinTLSVersion: ""
19896-ldap-tls-downgrade @ 7432df3ab18b66c2a5dac1f18c9e8b1d7a388558 -- developer-run-tests: #3445 
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by