Project

General

Profile

Actions

Bug #19896

closed

Option to configure acceptable TLS versions for LDAP

Added by Peter Amstutz almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Story points:
0.5
Release relationship:
Auto

Description

User is unable to log in on their cluster, getting this error:

LDAP Result Code 200 "Network Error": TLS handshake failed (tls: server selected unsupported protocol version 301)

They have reported that the server only supports TLS 1.1 and that the IT department intends to upgrade but has not done so yet.

What happened between Arvados 2.4 and 2.5 is that the Go TLS client got more strict by default -- documented here https://go.dev/doc/go1.18#tls10

We should provide an option (off by default) to relax the TLS client version check.

Workaround

The short term fix is to set "GODEBUG=tls10default=1" in "/etc/arvados/environment". We should add this to release notes.


Subtasks 1 (0 open1 closed)

Task #19902: Review 19896-ldap-tls-downgradeResolvedLucas Di Pentima01/05/2023Actions
Actions

Also available in: Atom PDF