Issue with SSL auth

[sdimovv]

Hi,

I am trying to get Jellyfin use the Synology LDAP server as authentication provider.

The setup is as follows: LDAP Server:

• Running on Synology server
• Set up to use SSL on port 636
• Using a Lets Encrypt cert
• Ports not exposed t public internet (only to local network)

Jellyfin:

• Running on the Synology server via docker (tag latest)
• LDAP plugin version 12
• network: bridge
• can reach the LDAP server on both ports 389 and 636 using the host IP (192.168.XXX.XXX)

If I configure the LDAP plugin to connect without SSL - everything works. I can login by using user credentials stored in the LDAP server.

However, if I select the "Secure LDAP" checkbox it saves fine, but I cannot login using LDAP stored credentials.

At first I thought this is because the SSL/TLS Verification fails (because I am using a local IP while the SSL cert is issued to the server domain), so I checked the "Skip SSL/TLS Verification" box as well - still nothing.

I then tried manually adding an entry to the hosts file of the running docker container:

$ docker exec container_id -it bash
container_id$ echo "192.168.XXX.XXX the.server.domain" >> /etc/hosts

Still nothing with or without the "Skip SSL/TLS Verification" option.

Finally with the following setup:

1. Local IP & ports reachable
2. Container's /etc/hosts modified to redirect the cert domain to the local IP
3. "Skip SSL/TLS Verification" option checked
4. "Secure LDAP" checked
5. Correct port selected (636)
6. Correct LDAP Base DN & Bind DN

I read the logs, and this is the error:

[ERR] [27] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Failed to Connect or Bind to server
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port)
   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
   at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.LocateLdapUser(String username)

How can I fix this?

Edit: Just noticed the OpenSSL versions of the Synology server and Jellyfin container are quite different (1.0.2 vs 1.1.1). Could that be causing it?

[pablos91]

I'm facing similar issue, except mine error is unsupported_protocol

[20:54:50] [ERR] [17] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Failed to Connect or Bind to server
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port)
   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
   at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.LocateLdapUser(String username)

I'm also using OpenSSL 1.0.2 on LDAP host and 1.1.1 on Jellyfin Host

I've tried v12.0 and v14.0 both not working.