On 1/3/2022 11:45 AM, Nick Couchman wrote:
On Mon, Jan 3, 2022 at 11:18 AM Jason Keltz <[email protected]> wrote:
Hi..
I tried to bring install Guac 1.4.0 into place on our CentOS 7
server running 1.3.0. I kept getting "invalid user" for logins.
After some debugging, I see in the logs (included below in more
detail) an exception caused by "Caused by:
java.lang.IllegalArgumentException: TLSv1.3". I believe there is
an attempt to connect to the LDAP server with TLS 1.3, and when
that fails, the auth fails as well, where-as previously TLS 1.2
would have been used. I may be wrong.
The identical configuration works with 1.3.
Is something requiring TLS v1.3 now that previously worked with 1.2?
We updated the dependencies for just about everything, including the
Apache Directory API. The latest version of the Apache LDAP API
defaults to TLSv1.3:
* [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) -
Add TLSv1.3 to default protocols
I suspect this is what you're seeing. You can continue to use the 1.3
LDAP extension with Guacamole Client 1.4.0, so that'll work around it
for now; however, looks like we may need to find a way to make this
configurable. You're welcome to open a Jira issue for it - I'm sure
adding an option for TLS version will be reasonably straight-forward.
Thanks, Nick. Happy New Year, by the way!
I opened up an issue and quoted your response there in case someone else
has the same issue: https://issues.apache.org/jira/browse/GUACAMOLE-1488
I'll try the 1.3 module if I get the server dead enough to try again...
(had to revert from 1.4 back to 1.3 earlier). if you know of the line
to change to just hard-code TLS 1.2 for the moment in the 1.4 ldap
module, I can try that as well.
Jason.
