Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supported SSL/TLS versions #348

Open
kalsan opened this issue Feb 7, 2020 · 7 comments
Open

Supported SSL/TLS versions #348

kalsan opened this issue Feb 7, 2020 · 7 comments

Comments

@kalsan
Copy link

kalsan commented Feb 7, 2020

What are the SSL/TLS versions supported for ldaps:// queries? I'm getting the error Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: unsupported protocol) and I'd like to debug the issue.
@derekpovah
Copy link

Any updates on this?

@HarlemSquirrel
Copy link
Member

Typically the limitations would be tied to the version of OpenSSL in use and the options provided in :encryption when calling Net::LDAP#initialize

@derekpovah
Copy link

The version that's installed in my ruby:2.6.5-slim Docker container is OpenSSL 1.1.1d 10 Sep 2019 and the version of net-ldap that bundler resolves is 0.16.2.

The weirdest part is that I can connect to a development ldap server just fine, but it only throws this error against the production AD server. An older version of net-ldap (0.11) that I'm using in an older project connects to the same AD server without this issue.

And I should mention that I'm using net-ldap through devise_ldap_authenticatable 0.8.5.

@HarlemSquirrel
Copy link
Member

Does this problem surface with any other LDAP clients such as ldapsearch?

@HarlemSquirrel
Copy link
Member

We can get more info about OpenSSL library in use like so:

require 'net/ldap'

OpenSSL::OPENSSL_VERSION
# => "OpenSSL 1.1.1h  22 Sep 2020"

OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# => {
#       :min_version => 769,
#       :verify_mode => 1,
#   :verify_hostname => true,
#           :options => 2147614804
# }

OpenSSL::SSL.constants.select { |c| c.to_s.end_with?('_VERSION') }.each_with_object({}) { |c,h| h[c] = OpenSSL::SSL.const_get(c) }
# => {
#     :TLS1_VERSION => 769,
#   :TLS1_2_VERSION => 771,
#   :TLS1_3_VERSION => 772,
#     :SSL2_VERSION => 2,
#   :TLS1_1_VERSION => 770,
#     :SSL3_VERSION => 768
# }

We can also try some versions and see what happens

require 'net/ldap'

[:TLSv1, :TLSv1_1, :TLSv1_2, :SSLv2, :SSLv23, :SSLv3].each do |ssl_ver|
  ldap = Net::LDAP.new(host: hostname, port: 636, 
                       encryption: { method: :simple_tls, tls_options: { ssl_version: ssl_ver } })
  ldap.search_root_dse
  puts "#{ssl_ver}:  \t#{ldap.get_operation_result.message}"
rescue StandardError => e
  puts "#{ssl_ver}:  \t#{e.class} #{e.message}"
end

Here's an example with one directory I tried.

SSLv23:         Success
TLSv1:          Success
TLSv1_1:        Success
TLSv1_2:        Success
SSLv2:          Net::LDAP::Error SSL_CTX_set_min_proto_version
SSLv3:          Net::LDAP::Error SSL_connect returned=1 errno=0 state=error: no protocols available

@tbone587
Copy link

im having a similar issue where If I am using this library within docker it seems to blow up with SSL issues, but outside of docker it works fine. It works inside ruby:2.6.3-stretch but not ruby:2.6.3. I am using 0.11

@postmodern
Copy link

FYI OpenSSL::SSL::SSLContext#ssl_version= is deprecated, and context.min_version = context.max_version = is recommended instead. However, the min_version=/max_version= methods accept slightly different values, such as :TLS1 instead of :TLSv1, and do not accept "SSLv23" anymore (for obvious reasons).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@postmodern @HarlemSquirrel @kalsan @derekpovah @tbone587