Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Marouchoc
Explorer

R77.30 w/gaia using TLSv1 for LDAPS

Hello. 

The short:

I need LDAPS to use tlsv1.2 instead of tlsv1 in my R77.30 gateway clsuter.  Has anyone else had to manually change this?

The long:

 I have an R77.30 JHF 351 two node cluster that has LDAPS configured for Identity Awareness.   I have all the thumbprints, and have the encryption min and max set to "Strong."   In global properties, we have min/max version of TLSv1.2.  We have gone into GuiDBedit and change the "other" ssl min and max to tlsv1.2.

All this, and when the firewall makes an LDAP request of our active directory DC's, it uses TLSv1.   I have packet captures from the gateways showing that they are using tlsv1, and the AD logs basically say that the client has no compatible ciphers.

I have a TAC case open, but after several hours in a remote session yesterday, we were unable to figure out how to made LDAPS use TLSv1.2. 

Even stranger, I have another R77.30 jhf 345 solution, two clusters of two 23500's each running VSX.  All the VS's that are configured to use the same DC's for IA work fine.   The VSX management, however, also tries TLSv1 and fails. All other services are using TLSv1.2 successfully.  

TAC is currently comparing the cpinfo output from both solutions to see if they can find why the VS's are working and why VSX and straight up Gaia are not. 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Maybe @Royi_Priov knows but I don’t think there is anything specific requires to tell IDA to use TLS 1.2.
You might also compare hotfixes between the two systems.

That said R77.30 has been End of Support for a year now and you should really look at upgrading.

0 Kudos
Royi_Priov
Employee
Employee

Hi,

It's in a layer "below" IDA 🙂

@Liel_Shaish , do you know?

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Steve_Marouchoc
Explorer

Thank you.  I am aware of the eos, but scheduling a window where all out backup products may be at risk for the transition has been more than a little difficult. And yes, TOC is comparing the cpinfo from both boxes to see if we can find why  the difference.  But I thought I'd ask the community to see if anyone else has had experience.  Thanks again!

0 Kudos
John_Fleming
Advisor

This may not be super helpful and maybe tac has already done this with you, but if it was me I would find the process that is making the tls call and figure out how to put it in debug mode. There should be something indicating what its doing any why. I always forget if its pep or pdp but my guess is its one of those making the tls call.

0 Kudos
PhoneBoy
Admin
Admin

pdp is responsible for doing the LDAP lookups.

0 Kudos