FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jroussel
Staff
Staff
Article Id 243883
Description

This article describes a problem where after upgrading a FortiGate to 7.2.1 or newer, connections to configured LDAPS servers fail.

Scope

FortiGates v7.2.1 or newer and using LDAPS servers for user authentication.

Solution

On the FortiGate, run fnbamd debugs and attempt to connect to the LDAPS server to check if this problem is being encountered:

 

diagnose debug application fnbamd -1 
diagnose debug enable

 

Check the fnbamd debug output for the following error:

 

[1101] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 167772498 (error:0A000152:SSL routines::unsafe legacy renegotiation disabled).

 

  • The TLS Server Hello does not contain the ‘renegotiation_info’ extension. If this extension is missing it means that the LDAPS server does not support TLS secure renegotiation.

 

For illustration, in the problem scenario, the extension in the red box would be missing from the received TLS Server Hello:

 

jroussel_1-1674706103908.png

 

  • A packet capture for LDAPS traffic shows the FortiGate sending the following error to the LDAPS server after receiving the TLS Server Hello, and thereafter terminating the TCP connection:

 

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)

 

This problem occurs because beginning on v7.2.1 the FortiGate will no longer establish TLS connections with LDAPS servers which do not support TLS secure renegotiation.

TLS secure renegotiation is outlined in RFC 5746 and helps to protect against certain man-in-the-middle attacks such as CVE-2009-3555.

 

Patch the LDAPS server to be compliant with RFC 5746 and to support TLS secure renegotiation.