Technical Tip: LDAP error message with 'error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol'
Description
This article explains how to fix the issue when FortiGate unit has authentication setting with LDAP and gets the error message below:
'error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol'
[934] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).
Solution
When the LDAP setting is in the FortiGate unit and it can not authenticate with LDAP server properly, run the following CLI commands to check:
- LDAP setting on FortiGate is correct, but FortiGate unit can not authenticate with LDAP server properly.
- After an upgrade of the firmware version to be v6.0.2 and above and there is a LDAP authentication issue
Run the following CLI commands to check:
Example of logs.
1) To fix this issue, run the following CLI commands on FortiGate unit:
2.1) Then configure SSL minimum proto version at LDAP server to be the same as FortiGate unit.
This article explains how to fix the issue when FortiGate unit has authentication setting with LDAP and gets the error message below:
'error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol'
[934] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).
Solution
When the LDAP setting is in the FortiGate unit and it can not authenticate with LDAP server properly, run the following CLI commands to check:
# diagnose debug disableIn case:
# diagnose debug reset
# diagnose debug application fnbamd -1
# diagnose debug enable
# diagnose test authserver ldap <servername> <username> <password>
- LDAP setting on FortiGate is correct, but FortiGate unit can not authenticate with LDAP server properly.
- After an upgrade of the firmware version to be v6.0.2 and above and there is a LDAP authentication issue
Run the following CLI commands to check:
# diagnose debug disableThere is an issue when below message show up:
# diagnose debug reset
# diagnose debug application fnbamd -1
# diagnose debug enable
# diagnose test authserver ldap <servername> <username> <password>
“error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”From the full message:
[934] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).
Example of logs.
[1139] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server 'TEST24' for usergroup 'VPN-Degaudenz-C3-GR' (12)SOLUTION:
[1607] fnbamd_ldap_init-search filter is: sAMAccountName=testUser
[1616] fnbamd_ldap_init-search base is: dc=testgroup,dc=local
[991] __fnbamd_ldap_dns_cb-Resolved TEST24 (idx 0) to 10.10.24.15
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[556] create_auth_session-Total 1 server(s) to try
[214:root:c2]fam_auth_send_req_internal:453 fnbam_auth return: 4
[934] __ldap_connect-tcps_connect(10.10.24.5) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).
[770] __ldap_try_next_server-LDAP TEST24' conn failed, svr: 10.10.24.5.
[736] __ldap_error-
[725] __ldap_stop-svr ‘TEST24’
1) To fix this issue, run the following CLI commands on FortiGate unit:
#config system globalOr configure minimum ssl version following LDAP server with:
set ssl-min-proto-version TLSv1
end
#config system global
set ssl-min-proto-version <version>
end
Version2) Check SSL minimum proto version on FortiGate unit with:
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
config system globalAnd check under:
get
ssl-min-proto-version:
2.1) Then configure SSL minimum proto version at LDAP server to be the same as FortiGate unit.