Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP - STARTTLS will only use SSLv2

PatrikL
PatrikL
Occasional Contributor
‎10-10-2017 09:05:AM
‎10-10-2017 09:05:AM

LDAP - STARTTLS will only use SSLv2

Hi!
We have a MAG-4610 (8.2R6).
When I set the setting on "auth servers" to use LDAP STARTTLS it will just say "LDAP Server is unreachable" but if I use Unencrypted it will work.
So I installed wireshark on our domain controller/ldap server and when the "Client Hello" comes it uses SSLv2 protocol so I guess thats why it says "server unreachable" since we are only allowing tls 1.2

What do you think? any suggestion?

//BR

0 Kudos
Reply
9 REPLIES 9
PatrikL
PatrikL
Occasional Contributor
‎10-10-2017 09:28:AM
‎10-10-2017 09:28:AM

Re: LDAP - STARTTLS will only use SSLv2

This happens when I push the "test connection" button.
0 Kudos
Reply
zanyterp
Moderator
Moderator
‎10-10-2017 02:06:PM
‎10-10-2017 02:06:PM

Re: LDAP - STARTTLS will only use SSLv2

That is currently how the STARTTLS function operates.
I would recommend reaching out to your account team to ask for an enhancement to this feature.
0 Kudos
Reply
PatrikL
PatrikL
Occasional Contributor
‎10-11-2017 01:57:PM
‎10-11-2017 01:57:PM

Re: LDAP - STARTTLS will only use SSLv2

Thanks for the reply.
Ok so there is no TLS 1.2 support for START TLS? I get the same on LDAPS so guess it is the same there?
0 Kudos
Reply
zanyterp
Moderator
Moderator
‎10-12-2017 09:03:PM
‎10-12-2017 09:03:PM

Re: LDAP - STARTTLS will only use SSLv2

You are welcome.
Yes, that is correct, I would expect the same on LDAPS
0 Kudos
Reply
PatrikL
PatrikL
Occasional Contributor
‎10-16-2017 05:24:AM
‎10-16-2017 05:24:AM

Re: LDAP - STARTTLS will only use SSLv2

Ok! Do you know if there is any other way to make more secure?

//P
0 Kudos
Reply
zanyterp
Moderator
Moderator
‎10-18-2017 04:08:PM
‎10-18-2017 04:08:PM

Re: LDAP - STARTTLS will only use SSLv2

The initial handshake is on SSLv2; however, the communication will transfer to TLSv1.x if the backend supports it.
Can the firewall allow SSLv2 through to the server for the handshake?
0 Kudos
Reply
PatrikL
PatrikL
Occasional Contributor
‎10-18-2017 05:30:PM
‎10-18-2017 05:30:PM

Re: LDAP - STARTTLS will only use SSLv2

I can see that the handshake comes to our AD server and it is indeed SSLv2 initail handshake as you mention and then it tries to init tls 1.2 but thats where it fails. Our AD server sends a RST and I guess it's because the initial handshake is sslv2?

//Patrik
0 Kudos
Reply
zanyterp
Moderator
Moderator
‎10-23-2017 05:33:PM
‎10-23-2017 05:33:PM

Re: LDAP - STARTTLS will only use SSLv2

Yes, that is something I have seen at other deployments: the initial connection is rejected by the auth server and does not allow changing to another protocol
0 Kudos
Reply
michelefiorilli
michelefiorilli
New Contributor
‎09-12-2018 08:30:AM
‎09-12-2018 08:30:AM

Re: LDAP - STARTTLS will only use SSLv2

hi all

 

how you solve the problem?

 

Michele

 

0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.