Technical Tip: How to change the SSL/TLS version used while connecting to a LDAP server
Description
When LDAP authentication is used with LDAP connection towards FortiGate being encrypted (starttls or ldaps) and if it is required to change the TLS/SSL version used by FortiGate to connect to LDAP server.
Solution
Use below commands:
If the LDAP server offers weaker version than the one enabled, then FortiGate will deny the connection and it is possible to see below similar debug lines.
Debug:
Example:
To enable minimum SSL/TLS version as TLSv1-1 then below syntax can be used.
When a connection with TLSv1 comes then FortiGate will abort the communication.
When LDAP authentication is used with LDAP connection towards FortiGate being encrypted (starttls or ldaps) and if it is required to change the TLS/SSL version used by FortiGate to connect to LDAP server.
Solution
Use below commands:
# config user ldap'set ssl-min-proto-version' option is for minimum supported protocol version for SSL/TLS connections.
edit "ldap name"
set ssl-min-proto-version <default/SSLv3/TLSv1/TLSv1-1/TLSv1-2>
end
If the LDAP server offers weaker version than the one enabled, then FortiGate will deny the connection and it is possible to see below similar debug lines.
Debug:
__ldap_connect-tcps_connect(server ip) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).Default option will follow the 'ssl-min-proto-version' enabled under system global setting.
Example:
To enable minimum SSL/TLS version as TLSv1-1 then below syntax can be used.
# config user ldapAbove configuration makes FortiGate to accept LDAPs connection that has TLSv1.1 and above.
edit "ldap name"
set ssl-min-proto-version TLSv1-1
end
When a connection with TLSv1 comes then FortiGate will abort the communication.
Related Articles
Technical Tip: Modify the TLS version for the FortiGate GUI access
Technical Tip: How to control the SSL version and cipher suite for SSL VPN