Hi, thanks, so the used version in this case is Java 8u202. The StackOverflow post seems to indicate that update version 262+ should support TLSv1.3, but I haven't tested it myself. The upgrade to Java 17 might not be very straightforward - there were many changes in between (and especially some breaking changes in Java 17), which would probably require upgrade to all additional components (Tomcat or other application server, configuration and JVM flags).
I haven't really tried standard Guacamole version on top of Java 17, as we're embedding guacamole-common in our project, but I will try to see what might be needed. Java 11 might be good choice in this case - it's long-term-support (LTS) version and a lot of changes that happened were usually backwards compatible. Given that the application server is new enough to have notion of Java 11. Otherwise update to newest Java 8 build is probably be something that should be least problematic. But given that it's out of general support by Oracle (and Premier supports ends in 2 months - https://www.oracle.com/java/technologies/java-se-support-roadmap.html ), you would need to use some alternative build (Adoptium - formerly AdoptOpenJDK / Amazon Corretto / Azul OpenJDK). So in case you want to play with this, there are options you can try. As well as Nick's proposed ability to configure the exact TLS version used. Lukas út 4. 1. 2022 v 1:07 odesílatel Jason Keltz <[email protected]> napsal: > Hi Lukáš, > > I'm actually using exactly jdk-1.8.0_202 which is the same version of JDK > I was using back when I started with Guacamole 1.2.0. I tried to upgrade > to jdk17-17.0.1 at one point recently with 1.3.0, and got many errors, so I > just went back to jdk-1.8.0. I never did try jdk11. I'm completely > flexible in this respect, and would want to use the best JDK for the job, > but I realize I don't know what that is. I'm running Tomcat 9.0.56. I > know that Nick created a patch to allow the older TLS support, which does > make sense, and I have to try it when the server isn't in use, but maybe if > I was using the "best" version of JDK for Guacamole, this might not even be > necessary. Thoughts, Nick? > > Jason. > On 1/3/2022 5:00 PM, Lukáš Raška wrote: > > Hi Jason, > just curious, what is the exact Java version (including the minor version) > you're using in this environment? The stacktrace doesn't reveal that the > TLSv1.3 connection would fail, rather that the support for TLSv1.3 is > missing completely (as the exception gets thrown at > sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187) ). That > TLS version should be supported since Java 11 (AFAIK), but seems to be > backported to certain builds of Java 8 as well ( > https://stackoverflow.com/questions/29437596/tlsv1-3-is-it-available-now-in-java-8 > ). > > > So the solution might be just to upgrade Java to a newer version. I > couldn't find any notion of required Java version in Guacamole docs, so > might be worth to mention it there as well (as in general only TLSv1.2+ is > recommended), in case it's not possible to work without TLSv1.3 support. > > > > > Lukas > > po 3. 1. 2022 v 18:51 odesílatel Jason Keltz <[email protected]> napsal: > >> >> On 1/3/2022 11:45 AM, Nick Couchman wrote: >> >> On Mon, Jan 3, 2022 at 11:18 AM Jason Keltz <[email protected]> wrote: >> >>> Hi.. >>> >>> I tried to bring install Guac 1.4.0 into place on our CentOS 7 server >>> running 1.3.0. I kept getting "invalid user" for logins. After some >>> debugging, I see in the logs (included below in more detail) an exception >>> caused by "Caused by: java.lang.IllegalArgumentException: TLSv1.3". I >>> believe there is an attempt to connect to the LDAP server with TLS 1.3, and >>> when that fails, the auth fails as well, where-as previously TLS 1.2 would >>> have been used. I may be wrong. >>> >>> The identical configuration works with 1.3. >>> >>> Is something requiring TLS v1.3 now that previously worked with 1.2? >>> >> We updated the dependencies for just about everything, including the >> Apache Directory API. The latest version of the Apache LDAP API defaults to >> TLSv1.3: >> >> >> - [DIRAPI-375]https://issues.apache.org/jira/browse/DIRAPI-375) - Add >> TLSv1.3 to default protocols >> >> I suspect this is what you're seeing. You can continue to use the 1.3 >> LDAP extension with Guacamole Client 1.4.0, so that'll work around it for >> now; however, looks like we may need to find a way to make this >> configurable. You're welcome to open a Jira issue for it - I'm sure adding >> an option for TLS version will be reasonably straight-forward. >> >> Thanks, Nick. Happy New Year, by the way! >> >> I opened up an issue and quoted your response there in case someone else >> has the same issue: https://issues.apache.org/jira/browse/GUACAMOLE-1488 >> >> I'll try the 1.3 module if I get the server dead enough to try again... >> (had to revert from 1.4 back to 1.3 earlier). if you know of the line to >> change to just hard-code TLS 1.2 for the moment in the 1.4 ldap module, I >> can try that as well. >> >> Jason. >> >> >> > > -- > S pozdravem > > Lukáš Raška > >
