Technical Tip: How to change the SSL/TLS version used while connecting to a LDAP server

pradeepb · ‎02-22-2021

Description
When LDAP authentication is used with LDAP connection towards FortiGate being encrypted (starttls or ldaps) and if it is required to change the TLS/SSL version used by FortiGate to connect to LDAP server.

Solution
Use below commands:

# config user ldap
edit "ldap name"
set ssl-min-proto-version <default/SSLv3/TLSv1/TLSv1-1/TLSv1-2>
end

'set ssl-min-proto-version' option is for minimum supported protocol version for SSL/TLS connections.
If the LDAP server offers weaker version than the one enabled, then FortiGate will deny the connection and it is possible to see below similar debug lines.

Debug:

__ldap_connect-tcps_connect(server ip) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).

Default option will follow the 'ssl-min-proto-version' enabled under system global setting.

Example:
To enable minimum SSL/TLS version as TLSv1-1 then below syntax can be used.

# config user ldap
   edit "ldap name"
        set ssl-min-proto-version TLSv1-1
   end

Above configuration makes FortiGate to accept LDAPs connection that has TLSv1.1 and above.
When a connection with TLSv1 comes then FortiGate will abort the communication.

Related Articles

Technical Tip: Modify the TLS version for the FortiGate GUI access

Technical Tip: How to control the SSL version and cipher suite for SSL VPN

Technical Tip: How to change the SSL/TLS version used while connecting to a LDAP server

You are leaving our website