Troubleshooting Tip: FortiGate fails to connect to LDAP Server after upgrade to 7.4.11

Description

This article describes why FortiGate is unable to connect to some older LDAP servers after upgrade to FortiOS v7.4.11 while using LDAPS or STARTTLS.

Scope

FortiOS v7.4.9 - FortiOS v7.4.11.

Solution

FortiOS v7.4.11 supports Post-Quantum Cryptography (PQC) key share extensions. This are sent in the TLS Client Hello and are only supported by TLS 1.3.

Some SSL servers that only support TLS 1.2 may fail to respond to a Client Hello if it contains PQC parameters, rather than ignoring them.

Workaround:

There is no Fortinet-side workaround in FortiOS v7.4.9-v7.4.11, since in these versions the PQC algorithms are enabled and cannot be disabled.

It may be possible to workaround the issue by updating the SSL libraries on the remote LDAP server to support TLS 1.3, or a version that ignores unknown PQC parameters.

Resolution:

This issue is scheduled for resolution in FortiOS 7.4.12, which will disable PQC algorithms globally. FortiOS v7.4.12 is currently scheduled for release in late April 2026. This is subject to change without notice.