LDAP authentication method fails after upgrading Vault cluster to 1.14.13+, 1.15.9+,1.16.3+,1.17.0+

Avatar
Amy Tran
  • Updated

 

Introduction

Problem

After upgrading Vault to v1.14.13+, v1.15.9+, v1.16.3+, or v1.17.0+, LDAP authentication may fail with the following error: 

Error authenticating: Error making API request. 
URL: PUT https://XXXXX:8200/v1/auth/ldap/login/XXXXX 
Code: 400. Errors: 
* ldap.(Client).Authenticate: failed to connect: 1 error occurred: 
* ldap.(Client).connect: error connecting to host "ldaps://XXXXX": LDAP Result Code 200 "Network Error": remote error: tls: handshake failure

Prerequisites 

  • Upgrade from a Vault version that uses Go version 1.21 or earlier to a Vault version that uses Go 1.22 or later.

  • Go version 1.22 was introduced in the following Vault versions:

    • v1.14.13+

    • v1.15.9+

    • v1.16.3+

    • v1.17.0+

  • Any Vault major version after 1.17.0+ will use a later version and will still be applicable.

Cause

The following cipher suites are disabled by default in golang 1.22:

TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Ref: https://github.com/golang/go/issues/63413

LDAP servers which negotiate to any of these cipher suites will result in a TLS handshake failure. 

To identify which ciphers are being negotiated against your LDAP server, openssl can be used to return the  Cipher.

Example: 

openssl s_client -showcerts -connect <LDAP-SERVER-NAME>:636 -CAfile <CA-file-path/CA-file-name.pem>

Solution:

  • A short term workaround would be to set GODEBUG=tlsrsakex=1 as an environment variable to re-enable the cipher suites. Please see KB: Adding Environment Variables to a Vault Process to set environment variables for Vault. 
  • The fix would be to remove weak ciphers from your openssl config to prevent negotiating with a weak cipher that is no longer supported in golang. For openldap, the following config parameter: olcTLSCipherSuite can be used to modify which ciphers are used. Please see the following link for more information.

Outcome

After setting the environment variable, LDAP authentication should be successful. 

Note: GODEBUG=tlsrsakex=1 Should be considered a temporary measure. Preventing your LDAP server from negotiating to weak ciphers should be addressed immediately.

Articles in this section

See more

Related articles