LDAP auth fails on TLS handshake

[aharrisson]

Describe the bug
In 1.17.3 the LDAP authentication method fails to connect to our LDAP server. When trying to log in, an error message is displayed:

We use a private CA for signing the LDAP TLS certificate and this CA certificate is included in the LDAP authentication method configuration.
Downgrading to 1.17.2 (or earlier) solves the issue. Upgrading to 1.17.3 introduces the issue again.

To Reproduce
Steps to reproduce the behavior:

1. Install Vault 1.17.3
2. Configure an LDAP authentication method with an LDAP server using a self signed or internally signed certificate. Include the CA certificate in the configuration.
3. Unseal and log in using the LDAP auth method.

Expected behavior
The user should be logged in.

Environment:

• Vault Server Version (retrieve with vault status): 1.17.3
• Vault CLI Version (retrieve with vault version): N/A
• Server Operating System/Architecture: Ubuntu 22.04

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values
{
  "storage": {
  "file": {
    "path": "/var/vault/data"
  }
},
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "cluster_address": "0.0.0.0:8201",
      "tls_disable": false,
      "tls_key_file": "<tls-key-location>",
      "tls_cert_file": "<tls-cert-location>"
    }
  },
  "ui": true,
  "max_lease_ttl": "8760h",
  "default_lease_ttl": "760h",
  "disable_mlock": true,
  "api_addr": "https://<host-fqdn>:8200",
  "cluster_addr": "https://<host-fqdn>:8201",
  "log_level": "info"
}

Key                             Value
---                             -----
anonymous_group_search          false
binddn                          <bind-dn>
case_sensitive_names            false
certificate                     -----BEGIN CERTIFICATE-----
<LDAP-server-CA-content>
-----END CERTIFICATE-----
connection_timeout              0
deny_null_bind                  true
dereference_aliases             n/a
discoverdn                      false
groupattr                       cn
groupdn                         <group-dn>
groupfilter                     <group-filter>
insecure_tls                    false
max_page_size                   0
password_policy                 n/a
request_timeout                 90
starttls                        true
tls_max_version                 tls12
tls_min_version                 tls12
token_bound_cidrs               []
token_explicit_max_ttl          0s
token_max_ttl                   0s
token_no_default_policy         false
token_num_uses                  0
token_period                    0s
token_policies                  []
token_ttl                       0s
token_type                      default
upndomain                       n/a
url                             <ldap-uri>
use_pre111_group_cn_behavior    false
use_token_groups                false
userattr                        uid
userdn                          <user-dn>
userfilter                      n/a
username_as_alias               false

Additional context
N/A

[tdgeery]

Having the same issue with 1.17.3 and 1.17.4 (released today)

[aharrisson]

I can confirm that the issue is still there in 1.17.4.

[biazmoreira]

Hi, some cypher suites were disabled in Go v1.22. Since we have updated the Go version in our repos (https://github.com/hashicorp/vault/pull/27986/files), these cypher suites were also disabled in Vault.

Here you can find a list of them: golang/go#63413

As a workaround, please set GODEBUG=tlsrsakex=1 as an environment variable to bypass this error to confirm that that's the case. The longterm fix would be to remove weak ciphers from your config.

I'll be closing the issue for now since there isn't much we can do on our side.

[tdgeery]

Can confirm this workaround worked