Login Create an Account

All Topics » Pulse Connect Secure



LDAP - STARTTLS will only use SSLv2


PatrikL
Contributor (0)
Oct 10, 2017 9:05am
Hi!
We have a MAG-4610 (8.2R6).
When I set the setting on "auth servers" to use LDAP STARTTLS it will just say "LDAP Server is unreachable" but if I use Unencrypted it will work.
So I installed wireshark on our domain controller/ldap server and when the "Client Hello" comes it uses SSLv2 protocol so I guess thats why it says "server unreachable" since we are only allowing tls 1.2

What do you think? any suggestion?

//BR




PatrikL
Contributor (0)
Oct 10, 2017 9:28am
This happens when I push the "test connection" button.
    zanyterp
    Pulse Secure Contributor (39)
    Oct 18, 2017 4:08pm
    The initial handshake is on SSLv2; however, the communication will transfer to TLSv1.x if the backend supports it.
    Can the firewall allow SSLv2 through to the server for the handshake?
    PatrikL
    Contributor (0)
    Oct 18, 2017 5:30pm
    I can see that the handshake comes to our AD server and it is indeed SSLv2 initail handshake as you mention and then it tries to init tls 1.2 but thats where it fails. Our AD server sends a RST and I guess it's because the initial handshake is sslv2?

    //Patrik
zanyterp
Pulse Secure Contributor (39)
Oct 10, 2017 2:06pm
That is currently how the STARTTLS function operates.
I would recommend reaching out to your account team to ask for an enhancement to this feature.
    PatrikL
    Contributor (0)
    Oct 11, 2017 1:57pm
    Thanks for the reply.
    Ok so there is no TLS 1.2 support for START TLS? I get the same on LDAPS so guess it is the same there?
    zanyterp
    Pulse Secure Contributor (39)
    Oct 12, 2017 9:03pm
    You are welcome.
    Yes, that is correct, I would expect the same on LDAPS
    PatrikL
    Contributor (0)
    Oct 16, 2017 5:24am
    Ok! Do you know if there is any other way to make more secure?

    //P