cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP - STARTTLS will only use SSLv2

Highlighted
Occasional Contributor

LDAP - STARTTLS will only use SSLv2

Hi!
We have a MAG-4610 (8.2R6).
When I set the setting on "auth servers" to use LDAP STARTTLS it will just say "LDAP Server is unreachable" but if I use Unencrypted it will work.
So I installed wireshark on our domain controller/ldap server and when the "Client Hello" comes it uses SSLv2 protocol so I guess thats why it says "server unreachable" since we are only allowing tls 1.2

What do you think? any suggestion?

//BR

8 REPLIES
Occasional Contributor

Re: LDAP - STARTTLS will only use SSLv2

This happens when I push the "test connection" button.
Moderator

Re: LDAP - STARTTLS will only use SSLv2

That is currently how the STARTTLS function operates.
I would recommend reaching out to your account team to ask for an enhancement to this feature.
Occasional Contributor

Re: LDAP - STARTTLS will only use SSLv2

Thanks for the reply.
Ok so there is no TLS 1.2 support for START TLS? I get the same on LDAPS so guess it is the same there?
Moderator

Re: LDAP - STARTTLS will only use SSLv2

You are welcome.
Yes, that is correct, I would expect the same on LDAPS
Occasional Contributor

Re: LDAP - STARTTLS will only use SSLv2

Ok! Do you know if there is any other way to make more secure?

//P
Moderator

Re: LDAP - STARTTLS will only use SSLv2

The initial handshake is on SSLv2; however, the communication will transfer to TLSv1.x if the backend supports it.
Can the firewall allow SSLv2 through to the server for the handshake?
Occasional Contributor

Re: LDAP - STARTTLS will only use SSLv2

I can see that the handshake comes to our AD server and it is indeed SSLv2 initail handshake as you mention and then it tries to init tls 1.2 but thats where it fails. Our AD server sends a RST and I guess it's because the initial handshake is sslv2?

//Patrik
Moderator

Re: LDAP - STARTTLS will only use SSLv2

Yes, that is something I have seen at other deployments: the initial connection is rejected by the auth server and does not allow changing to another protocol