Hi Lukáš,
I'm actually using exactly jdk-1.8.0_202 which is the same version of
JDK I was using back when I started with Guacamole 1.2.0. I tried to
upgrade to jdk17-17.0.1 at one point recently with 1.3.0, and got many
errors, so I just went back to jdk-1.8.0. I never did try jdk11. I'm
completely flexible in this respect, and would want to use the best JDK
for the job, but I realize I don't know what that is. I'm running
Tomcat 9.0.56. I know that Nick created a patch to allow the older TLS
support, which does make sense, and I have to try it when the server
isn't in use, but maybe if I was using the "best" version of JDK for
Guacamole, this might not even be necessary. Thoughts, Nick?
Jason.
On 1/3/2022 5:00 PM, Lukáš Raška wrote:
Hi Jason,
just curious, what is the exact Java version (including the minor
version) you're using in this environment? The stacktrace doesn't
reveal that the TLSv1.3 connection would fail, rather that the support
for TLSv1.3 is missing completely (as the exception gets thrown at
sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187) ).
That TLS version should be supported since Java 11 (AFAIK), but seems
to be backported to certain builds of Java 8 as well
(https://stackoverflow.com/questions/29437596/tlsv1-3-is-it-available-now-in-java-8
).
So the solution might be just to upgrade Java to a newer version. I
couldn't find any notion of required Java version in Guacamole docs,
so might be worth to mention it there as well (as in general only
TLSv1.2+ is recommended), in case it's not possible to work without
TLSv1.3 support.
Lukas
po 3. 1. 2022 v 18:51 odesílatel Jason Keltz <[email protected]> napsal:
On 1/3/2022 11:45 AM, Nick Couchman wrote:
On Mon, Jan 3, 2022 at 11:18 AM Jason Keltz <[email protected]> wrote:
Hi..
I tried to bring install Guac 1.4.0 into place on our CentOS
7 server running 1.3.0. I kept getting "invalid user" for
logins. After some debugging, I see in the logs (included
below in more detail) an exception caused by "Caused by:
java.lang.IllegalArgumentException: TLSv1.3". I believe
there is an attempt to connect to the LDAP server with TLS
1.3, and when that fails, the auth fails as well, where-as
previously TLS 1.2 would have been used. I may be wrong.
The identical configuration works with 1.3.
Is something requiring TLS v1.3 now that previously worked
with 1.2?
We updated the dependencies for just about everything, including
the Apache Directory API. The latest version of the Apache LDAP
API defaults to TLSv1.3:
* [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375)
- Add TLSv1.3 to default protocols
I suspect this is what you're seeing. You can continue to use the
1.3 LDAP extension with Guacamole Client 1.4.0, so that'll work
around it for now; however, looks like we may need to find a way
to make this configurable. You're welcome to open a Jira issue
for it - I'm sure adding an option for TLS version will be
reasonably straight-forward.
Thanks, Nick. Happy New Year, by the way!
I opened up an issue and quoted your response there in case
someone else has the same issue:
https://issues.apache.org/jira/browse/GUACAMOLE-1488
I'll try the 1.3 module if I get the server dead enough to try
again... (had to revert from 1.4 back to 1.3 earlier). if you
know of the line to change to just hard-code TLS 1.2 for the
moment in the 1.4 ldap module, I can try that as well.
Jason.
--
S pozdravem
Lukáš Raška
