ruby-net-ldap icon indicating copy to clipboard operation
ruby-net-ldap copied to clipboard

Published 20 hours ago verified publisher icon ruby-ldap

Supported SSL/TLS versions

Open kalsan opened this issue 4 years ago • 7 comments

What are the SSL/TLS versions supported for ldaps:// queries? I'm getting the error Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: unsupported protocol) and I'd like to debug the issue.

kalsan avatar Feb 07 '20 10:02 kalsan

Any updates on this?

derekpovah avatar Jun 22 '20 22:06 derekpovah

Typically the limitations would be tied to the version of OpenSSL in use and the options provided in :encryption when calling Net::LDAP#initialize

HarlemSquirrel avatar Jul 13 '20 02:07 HarlemSquirrel

The version that's installed in my ruby:2.6.5-slim Docker container is OpenSSL 1.1.1d 10 Sep 2019 and the version of net-ldap that bundler resolves is 0.16.2.

The weirdest part is that I can connect to a development ldap server just fine, but it only throws this error against the production AD server. An older version of net-ldap (0.11) that I'm using in an older project connects to the same AD server without this issue.

And I should mention that I'm using net-ldap through devise_ldap_authenticatable 0.8.5.

derekpovah avatar Jul 17 '20 16:07 derekpovah

Does this problem surface with any other LDAP clients such as ldapsearch?

HarlemSquirrel avatar Aug 17 '20 18:08 HarlemSquirrel

We can get more info about OpenSSL library in use like so:

require 'net/ldap'

OpenSSL::OPENSSL_VERSION
# => "OpenSSL 1.1.1h  22 Sep 2020"

OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# => {
#       :min_version => 769,
#       :verify_mode => 1,
#   :verify_hostname => true,
#           :options => 2147614804
# }

OpenSSL::SSL.constants.select { |c| c.to_s.end_with?('_VERSION') }.each_with_object({}) { |c,h| h[c] = OpenSSL::SSL.const_get(c) }
# => {
#     :TLS1_VERSION => 769,
#   :TLS1_2_VERSION => 771,
#   :TLS1_3_VERSION => 772,
#     :SSL2_VERSION => 2,
#   :TLS1_1_VERSION => 770,
#     :SSL3_VERSION => 768
# }

We can also try some versions and see what happens

require 'net/ldap'

[:TLSv1, :TLSv1_1, :TLSv1_2, :SSLv2, :SSLv23, :SSLv3].each do |ssl_ver|
  ldap = Net::LDAP.new(host: hostname, port: 636, 
                       encryption: { method: :simple_tls, tls_options: { ssl_version: ssl_ver } })
  ldap.search_root_dse
  puts "#{ssl_ver}:  \t#{ldap.get_operation_result.message}"
rescue StandardError => e
  puts "#{ssl_ver}:  \t#{e.class} #{e.message}"
end

Here's an example with one directory I tried.

SSLv23:         Success
TLSv1:          Success
TLSv1_1:        Success
TLSv1_2:        Success
SSLv2:          Net::LDAP::Error SSL_CTX_set_min_proto_version
SSLv3:          Net::LDAP::Error SSL_connect returned=1 errno=0 state=error: no protocols available

HarlemSquirrel avatar Dec 01 '20 02:12 HarlemSquirrel

im having a similar issue where If I am using this library within docker it seems to blow up with SSL issues, but outside of docker it works fine. It works inside ruby:2.6.3-stretch but not ruby:2.6.3. I am using 0.11

tbone587 avatar Jan 15 '21 01:01 tbone587

FYI OpenSSL::SSL::SSLContext#ssl_version= is deprecated, and context.min_version = context.max_version = is recommended instead. However, the min_version=/max_version= methods accept slightly different values, such as :TLS1 instead of :TLSv1, and do not accept "SSLv23" anymore (for obvious reasons).

postmodern avatar Apr 25 '24 23:04 postmodern