DescriptionWhen LDAP authentication is used with LDAP connection towards FortiGate being encrypted (starttls or ldaps) and if it is required to change the TLS/SSL version used by FortiGate to connect to LDAP server.SolutionUse below commands:
# config user ldap
edit "ldap name"
set ssl-min-proto-version <default/SSLv3/TLSv1/TLSv1-1/TLSv1-2>
end
'set ssl-min-proto-version' option is for minimum supported protocol version for SSL/TLS connections.
If the LDAP server offers weaker version than the one enabled, then FortiGate will deny the connection and it is possible to see below similar debug lines.
Debug:__ldap_connect-tcps_connect(server ip) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).
Default option will follow the 'ssl-min-proto-version' enabled under system global setting.
Example:To enable minimum SSL/TLS version as TLSv1-1 then below syntax can be used.# config user ldap
edit "ldap name"
set ssl-min-proto-version TLSv1-1
end
Above configuration makes FortiGate to accept LDAPs connection that has TLSv1.1 and above.
When a connection with TLSv1 comes then FortiGate will abort the communication.Related Articles
Technical Tip: Modify the TLS version for the FortiGate GUI access
Technical Tip: How to control the SSL version and cipher suite for SSL VPN
