Hi Jason, just curious, what is the exact Java version (including the minor version) you're using in this environment? The stacktrace doesn't reveal that the TLSv1.3 connection would fail, rather that the support for TLSv1.3 is missing completely (as the exception gets thrown at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187) ). That TLS version should be supported since Java 11 (AFAIK), but seems to be backported to certain builds of Java 8 as well ( https://stackoverflow.com/questions/29437596/tlsv1-3-is-it-available-now-in-java-8 ).
So the solution might be just to upgrade Java to a newer version. I couldn't find any notion of required Java version in Guacamole docs, so might be worth to mention it there as well (as in general only TLSv1.2+ is recommended), in case it's not possible to work without TLSv1.3 support. Lukas po 3. 1. 2022 v 18:51 odesílatel Jason Keltz <[email protected]> napsal: > > On 1/3/2022 11:45 AM, Nick Couchman wrote: > > On Mon, Jan 3, 2022 at 11:18 AM Jason Keltz <[email protected]> wrote: > >> Hi.. >> >> I tried to bring install Guac 1.4.0 into place on our CentOS 7 server >> running 1.3.0. I kept getting "invalid user" for logins. After some >> debugging, I see in the logs (included below in more detail) an exception >> caused by "Caused by: java.lang.IllegalArgumentException: TLSv1.3". I >> believe there is an attempt to connect to the LDAP server with TLS 1.3, and >> when that fails, the auth fails as well, where-as previously TLS 1.2 would >> have been used. I may be wrong. >> >> The identical configuration works with 1.3. >> >> Is something requiring TLS v1.3 now that previously worked with 1.2? >> > We updated the dependencies for just about everything, including the > Apache Directory API. The latest version of the Apache LDAP API defaults to > TLSv1.3: > > > - [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add > TLSv1.3 to default protocols > > I suspect this is what you're seeing. You can continue to use the 1.3 LDAP > extension with Guacamole Client 1.4.0, so that'll work around it for now; > however, looks like we may need to find a way to make this configurable. > You're welcome to open a Jira issue for it - I'm sure adding an option for > TLS version will be reasonably straight-forward. > > Thanks, Nick. Happy New Year, by the way! > > I opened up an issue and quoted your response there in case someone else > has the same issue: https://issues.apache.org/jira/browse/GUACAMOLE-1488 > > I'll try the 1.3 module if I get the server dead enough to try again... > (had to revert from 1.4 back to 1.3 earlier). if you know of the line to > change to just hard-code TLS 1.2 for the moment in the 1.4 ldap module, I > can try that as well. > > Jason. > > > -- S pozdravem Lukáš Raška
