Description |
This article describes a problem where after upgrading a FortiGate to 7.2.1 or newer, connections to configured LDAPS servers fail. |
Scope |
FortiGates v7.2.1 or newer and using LDAPS servers for user authentication. |
Solution |
On the FortiGate, run fnbamd debugs and attempt to connect to the LDAPS server to check if this problem is being encountered:
diagnose debug application fnbamd -1
Check the fnbamd debug output for the following error:
[1101] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 167772498 (error:0A000152:SSL routines::unsafe legacy renegotiation disabled).
For illustration, in the problem scenario, the extension in the red box would be missing from the received TLS Server Hello:
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
This problem occurs because beginning on v7.2.1 the FortiGate will no longer establish TLS connections with LDAPS servers which do not support TLS secure renegotiation. TLS secure renegotiation is outlined in RFC 5746 and helps to protect against certain man-in-the-middle attacks such as CVE-2009-3555.
Patch the LDAPS server to be compliant with RFC 5746 and to support TLS secure renegotiation. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.