topic R77.30 w/gaia using TLSv1 for LDAPS in Firewall and Security Management

R77.30 w/gaia using TLSv1 for LDAPS

Steve_Marouchoc — Fri, 18 Sep 2020 17:47:17 GMT

Hello.

The short:

I need LDAPS to use tlsv1.2 instead of tlsv1 in my R77.30 gateway clsuter. Has anyone else had to manually change this?

The long:

I have an R77.30 JHF 351 two node cluster that has LDAPS configured for Identity Awareness. I have all the thumbprints, and have the encryption min and max set to "Strong." In global properties, we have min/max version of TLSv1.2. We have gone into GuiDBedit and change the "other" ssl min and max to tlsv1.2.

All this, and when the firewall makes an LDAP request of our active directory DC's, it uses TLSv1. I have packet captures from the gateways showing that they are using tlsv1, and the AD logs basically say that the client has no compatible ciphers.

I have a TAC case open, but after several hours in a remote session yesterday, we were unable to figure out how to made LDAPS use TLSv1.2.

Even stranger, I have another R77.30 jhf 345 solution, two clusters of two 23500's each running VSX. All the VS's that are configured to use the same DC's for IA work fine. The VSX management, however, also tries TLSv1 and fails. All other services are using TLSv1.2 successfully.

TAC is currently comparing the cpinfo output from both solutions to see if they can find why the VS's are working and why VSX and straight up Gaia are not.

Re: R77.30 w/gaia using TLSv1 for LDAPS

PhoneBoy — Mon, 21 Sep 2020 00:23:39 GMT

Maybe @Royi_Priov knows but I don’t think there is anything specific requires to tell IDA to use TLS 1.2.
You might also compare hotfixes between the two systems.

That said R77.30 has been End of Support for a year now and you should really look at upgrading.

Re: R77.30 w/gaia using TLSv1 for LDAPS

Royi_Priov — Mon, 21 Sep 2020 08:10:29 GMT

Hi,

It's in a layer "below" IDA 🙂

@Liel_Shaish , do you know?

Re: R77.30 w/gaia using TLSv1 for LDAPS

Steve_Marouchoc — Mon, 21 Sep 2020 12:05:02 GMT

Thank you. I am aware of the eos, but scheduling a window where all out backup products may be at risk for the transition has been more than a little difficult. And yes, TOC is comparing the cpinfo from both boxes to see if we can find why the difference. But I thought I'd ask the community to see if anyone else has had experience. Thanks again!

Re: R77.30 w/gaia using TLSv1 for LDAPS

John_Fleming — Mon, 21 Sep 2020 18:29:09 GMT

This may not be super helpful and maybe tac has already done this with you, but if it was me I would find the process that is making the tls call and figure out how to put it in debug mode. There should be something indicating what its doing any why. I always forget if its pep or pdp but my guess is its one of those making the tls call.

Re: R77.30 w/gaia using TLSv1 for LDAPS

PhoneBoy — Mon, 21 Sep 2020 19:28:59 GMT

pdp is responsible for doing the LDAP lookups.