[
https://issues.apache.org/jira/browse/GUACAMOLE-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469356#comment-17469356
]
Jason Keltz commented on GUACAMOLE-1488:
----------------------------------------
[~vnick] First, thank you very much! It took a little time for me to get the
server without anyone logged to be able to test again. In a few days, the new
term will begin, and I'll be out of luck for a bit unless I setup a test
server.
I tried 1.4.0 with the 1.3.0 ldap extension, and that, of course worked.
Next I downloaded and recompiled the ldap module with your updates. I added to
my guacamole.properties file: ldap-ssl-protocol: TLSv1.2
.. in addition to what was already there including ldap-encryption-method: ssl
I replaced the ldap module, and also replaced the war file in case there was a
change there.
Login failed with the same error re: TLSv1.3
What precise version of JDK are you using with Guacamole? because I've tried
JDK8-202 (which doesn't have TLSv1.3 support), and JDK11 and JDK17 which both
do, With JDK8, Guac works with the exception of TLSv1.3, and with 11 and 17 it
does not work even though I believe the guac docs says JDK8+. It might be time
to get more specific on the precise recommended versions of Java tested and
known working. I'd have no issue upgrading my JDK version to the best one for
Guac if it meant I would get TLSv1.3 support and the best overall reliability.
> Allow LDAP extension to configure TLS level
> -------------------------------------------
>
> Key: GUACAMOLE-1488
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1488
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Jason Keltz
> Assignee: Nick Couchman
> Priority: Major
>
> I upgraded Guacamole 1.3.0 to 1.4.0. When I login, I get user "Invalid
> Login". Logs show missing TLS 1.3 is the problem:
> {code:java}
> 10:27:47.985 [NioProcessor-1] DEBUG org.apache.mina.filter.ssl.SslFilter -
> Adding the SSL Filter sslFilter to the chain
> 10:27:47.987 [NioProcessor-1] DEBUG o.apache.mina.filter.ssl.SslHandler -
> Session Client[1](no sslEngine) Initializing the SSL Handler
> 10:27:47.996 [NioProcessor-1] WARN o.a.m.util.DefaultExceptionMonitor -
> Unexpected exception.
> org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd():
> sslFilter:SslFilter in (0x00000001: nio socket, client, /1.2.3.4:44642 =>
> myldap.ca/1.2.3.4:636)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:465)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:234)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:553)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.addNow(AbstractPollingIoProcessor.java:832)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.handleNewSessions(AbstractPollingIoProcessor.java:752)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:652)
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.IllegalArgumentException: TLSv1.3
> at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
> at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
> at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
> at
> sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2070)
> at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:177)
> at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:458)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:463)
> ... 9 common frames omitted
> 10:28:18.005 [http-nio-8080-exec-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection
> - MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService
> - Binding with the LDAP server at "myldap.yorku.ca" as user
> "CN=guacamole,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca" failed:
> MSG_04177_CONNECTION_TIMEOUT (30000)
> 10:28:18.007 [http-nio-8080-exec-1] DEBUG o.a.g.a.ldap.LDAPConnectionService
> - Unable to bind to LDAP server.{code}
> Nick Couchman says: We updated the dependencies for just about everything,
> including the Apache Directory API. The latest version of the Apache LDAP API
> defaults to TLSv1.3:
> [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add
> TLSv1.3 to default protocols
> I suspect this is what you're seeing. You can continue to use the 1.3 LDAP
> extension with Guacamole Client 1.4.0, so that'll work around it for now;
> however, looks like we may need to find a way to make this configurable.
> You're welcome to open a Jira issue for it - I'm sure adding an option for
> TLS version will be reasonably straight-forward.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
