ruby-net-ldap
ruby-net-ldap copied to clipboard
Supported SSL/TLS versions
What are the SSL/TLS versions supported for ldaps:// queries? I'm getting the error Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: unsupported protocol)
and I'd like to debug the issue.
Any updates on this?
Typically the limitations would be tied to the version of OpenSSL in use and the options provided in :encryption
when calling Net::LDAP#initialize
The version that's installed in my ruby:2.6.5-slim Docker container is OpenSSL 1.1.1d 10 Sep 2019
and the version of net-ldap that bundler resolves is 0.16.2
.
The weirdest part is that I can connect to a development ldap server just fine, but it only throws this error against the production AD server. An older version of net-ldap (0.11
) that I'm using in an older project connects to the same AD server without this issue.
And I should mention that I'm using net-ldap through devise_ldap_authenticatable 0.8.5
.
Does this problem surface with any other LDAP clients such as ldapsearch
?
We can get more info about OpenSSL library in use like so:
require 'net/ldap'
OpenSSL::OPENSSL_VERSION
# => "OpenSSL 1.1.1h 22 Sep 2020"
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# => {
# :min_version => 769,
# :verify_mode => 1,
# :verify_hostname => true,
# :options => 2147614804
# }
OpenSSL::SSL.constants.select { |c| c.to_s.end_with?('_VERSION') }.each_with_object({}) { |c,h| h[c] = OpenSSL::SSL.const_get(c) }
# => {
# :TLS1_VERSION => 769,
# :TLS1_2_VERSION => 771,
# :TLS1_3_VERSION => 772,
# :SSL2_VERSION => 2,
# :TLS1_1_VERSION => 770,
# :SSL3_VERSION => 768
# }
We can also try some versions and see what happens
require 'net/ldap'
[:TLSv1, :TLSv1_1, :TLSv1_2, :SSLv2, :SSLv23, :SSLv3].each do |ssl_ver|
ldap = Net::LDAP.new(host: hostname, port: 636,
encryption: { method: :simple_tls, tls_options: { ssl_version: ssl_ver } })
ldap.search_root_dse
puts "#{ssl_ver}: \t#{ldap.get_operation_result.message}"
rescue StandardError => e
puts "#{ssl_ver}: \t#{e.class} #{e.message}"
end
Here's an example with one directory I tried.
SSLv23: Success
TLSv1: Success
TLSv1_1: Success
TLSv1_2: Success
SSLv2: Net::LDAP::Error SSL_CTX_set_min_proto_version
SSLv3: Net::LDAP::Error SSL_connect returned=1 errno=0 state=error: no protocols available
im having a similar issue where If I am using this library within docker it seems to blow up with SSL issues, but outside of docker it works fine. It works inside ruby:2.6.3-stretch but not ruby:2.6.3. I am using 0.11
FYI OpenSSL::SSL::SSLContext#ssl_version=
is deprecated, and context.min_version = context.max_version =
is recommended instead. However, the min_version=
/max_version=
methods accept slightly different values, such as :TLS1
instead of :TLSv1
, and do not accept "SSLv23"
anymore (for obvious reasons).