| Description |
This article describes a problem where after upgrading a FortiGate to 7.2.1 or newer, connections to configured LDAPS servers fail.
Specific problem symptoms are as follows:
- fnbamd application debugs taken on the FortiGate display the following error:
[1101] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 167772498 (error:0A000152:SSL routines::unsafe legacy renegotiation disabled).
- The TLS Server Hello does not contain the ‘renegotiation_info’ extension. If this extension is missing it means that the LDAPS server does not support TLS secure renegotiation. For illustration, in the problem scenario the extension in the red box would be missing from the received TLS Server Hello:
- A packet capture for LDAPS traffic shows the FortiGate sending the following error to the LDAPS server after receiving the TLS Server Hello, and thereafter terminating the TCP connection:
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
This problem occurs because beginning on FortiOS 7.2.1 the FortiGate will no longer establish TLS connections with LDAPS servers which do not support TLS secure renegotiation. TLS secure renegotiation is outlined in RFC 5746 and helps to protect against certain man-in-the-middle attacks such as CVE-2009-3555. |
| Scope |
FortiGates running FortiOS 7.2.1 or newer and using LDAPS servers for user authentication. |
| Solution |
Patch the LDAPS server to be compliant with RFC 5746 and to support TLS secure renegotiation. |
