Login not working: error during LDAP authentication; sslv3 alert handshake failure

[fooness]

I’m using matrix-synapse-ldap3 for almost four years now, and I’m somewhat familiar with the setup and configuration.

After setting up a new Matrix instance/server, and trying to recreate the working LDAP ~password_providers~ modules configuration, I’m experiencing some errors unfortunately, and I absolutely cannot figure out what the problem might be.

The LDAP connection is definitely working from this server; I tested this with ldapsearch as well as other applications/services than matrix-synapse(-ldap3) with the same LDAP configuration; I tested with TLS (Start_TLS) and with SSL (via LDAPS).

Here’s the relevant LDAP module configuration from the homeserver.yaml file:

modules:
  - module: "ldap_auth_provider.LdapAuthProviderModule"
    config:
      enabled: true
      mode: "search"
      uri: "ldap://ldap.example.org:389"
      start_tls: true
      tls_options:
        validate: false
       #version: 2 # SSLv23
       #version: 3 # TLSv1
        version: 4 # TLSv1_1
       #version: 5 # TLSv1_2
      base: "dc=example,dc=org"
      attributes:
        uid: "uid"
        mail: "mail"
        name: "cn"
      bind_dn: "cn=bind,dc=example,dc=org"
      bind_password: "*********"

Here’s an excerpt from the homeserver.log file:

2024-02-06 12:17:59,169 - ldap_auth_provider - 553 - WARNING - sentinel - Error during LDAP authentication: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1006)',)
2024-02-06 12:17:59,170 - ldap_auth_provider - 658 - WARNING - sentinel - Error during LDAP authentication: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1006)',)
2024-02-06 12:17:59,170 - ldap_auth_provider - 238 - WARNING - sentinel - Error during ldap authentication: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1006)',)

For testing, I disabled the certificate validation via validate: false in tls_options. This did not help.

The README states that additional tls_options are supported which can be any key from the Tls object, which is why I tried setting ~version: "TLSv1" or version: "SSLv2"~ e.g. version: 4 above (other versions were tested, too).

This results in another error in the homeserver.log file, stating that there’s no ciphers available. Specifying ciphers in the Tls object, via e.g. ciphers: "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS", results in the same error (SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]) as above.

Here’s some package versions:

$ pip list | grep matrix
matrix-common             1.3.0
matrix-synapse            1.100.0
matrix-synapse-ldap3      0.3.0

$ pip list | grep SSL
pyOpenSSL                 23.3.0

$ pip list | grep request
requests                  2.31.0

$ pip list | grep urllib
urllib3                   2.0.7

Maybe, hopefully, someone could help?

PS: It seems more and more that this problem is brought in via some dependencies; I was not able to pinpoint if it’s e.g. ldap3 or openssl, and I was not able to find any solution in other repositories’ issues or via search engine.

[fooness]

Update: It seems that for our LDAP, the combination of TLS 1.2 and a specific TLS Cipher String work since Python 3.10.

Related issues:

• https://github.com/cannatag/ldap3/issues/993
• https://github.com/goauthentik/authentik/issues/3110

More information about tls_options:

• https://ldap3.readthedocs.io/en/latest/ssltls.html#the-tls-object
• https://stackoverflow.com/a/52598420

Excerpt from matrix-synapse’s homeserver.yaml:

# Python 3.10 seemingly introduces some problems(?) related to SSL/TLS,
# hence we need some more configuration, at least for _our_ LDAP server
#
tls_options:
  validate: false
  version: 5 # that is "PROTOCOL_TLSv1_2"
  ciphers: "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS"

PS: I tested this very cipher string with TLS 1.1 before, and it didn’t work. The following nmap command helped me figuring out which TLS versions and ciphers are supported by the LDAP server, and therefore need to be specified for the client.

nmap --script ssl-enum-ciphers -p 389 ldap.example.org