search

ruby-ldap / ruby-net-ldap

Pure Ruby LDAP library
https://rubygems.org/gems/net-ldap
Other
399 stars 253 forks source link

Supported SSL/TLS versions #348

Open kalsan opened 4 years ago

kalsan commented 4 years ago

What are the SSL/TLS versions supported for ldaps:// queries? I'm getting the error Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: unsupported protocol) and I'd like to debug the issue.

derekpovah commented 4 years ago

Any updates on this?

HarlemSquirrel commented 4 years ago

Typically the limitations would be tied to the version of OpenSSL in use and the options provided in :encryption when calling Net::LDAP#initialize

derekpovah commented 4 years ago

The version that's installed in my ruby:2.6.5-slim Docker container is OpenSSL 1.1.1d 10 Sep 2019 and the version of net-ldap that bundler resolves is 0.16.2.

The weirdest part is that I can connect to a development ldap server just fine, but it only throws this error against the production AD server. An older version of net-ldap (0.11) that I'm using in an older project connects to the same AD server without this issue.

And I should mention that I'm using net-ldap through devise_ldap_authenticatable 0.8.5.

HarlemSquirrel commented 4 years ago

Does this problem surface with any other LDAP clients such as ldapsearch?

HarlemSquirrel commented 4 years ago

We can get more info about OpenSSL library in use like so:

require 'net/ldap'

OpenSSL::OPENSSL_VERSION
# => "OpenSSL 1.1.1h  22 Sep 2020"

OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# => {
#       :min_version => 769,
#       :verify_mode => 1,
#   :verify_hostname => true,
#           :options => 2147614804
# }

OpenSSL::SSL.constants.select { |c| c.to_s.end_with?('_VERSION') }.each_with_object({}) { |c,h| h[c] = OpenSSL::SSL.const_get(c) }
# => {
#     :TLS1_VERSION => 769,
#   :TLS1_2_VERSION => 771,
#   :TLS1_3_VERSION => 772,
#     :SSL2_VERSION => 2,
#   :TLS1_1_VERSION => 770,
#     :SSL3_VERSION => 768
# }

We can also try some versions and see what happens

require 'net/ldap'

[:TLSv1, :TLSv1_1, :TLSv1_2, :SSLv2, :SSLv23, :SSLv3].each do |ssl_ver|
  ldap = Net::LDAP.new(host: hostname, port: 636, 
                       encryption: { method: :simple_tls, tls_options: { ssl_version: ssl_ver } })
  ldap.search_root_dse
  puts "#{ssl_ver}:  \t#{ldap.get_operation_result.message}"
rescue StandardError => e
  puts "#{ssl_ver}:  \t#{e.class} #{e.message}"
end

Here's an example with one directory I tried.

SSLv23:         Success
TLSv1:          Success
TLSv1_1:        Success
TLSv1_2:        Success
SSLv2:          Net::LDAP::Error SSL_CTX_set_min_proto_version
SSLv3:          Net::LDAP::Error SSL_connect returned=1 errno=0 state=error: no protocols available
tbone587 commented 3 years ago

im having a similar issue where If I am using this library within docker it seems to blow up with SSL issues, but outside of docker it works fine. It works inside ruby:2.6.3-stretch but not ruby:2.6.3. I am using 0.11

postmodern commented 7 months ago

FYI OpenSSL::SSL::SSLContext#ssl_version= is deprecated, and context.min_version = context.max_version = is recommended instead. However, the min_version=/max_version= methods accept slightly different values, such as :TLS1 instead of :TLSv1, and do not accept "SSLv23" anymore (for obvious reasons).