This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

LDAPS TLS Handshake Failure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAPS TLS Handshake Failure

m0tash
L1 Bithead

‎08-14-2023 03:13 AM

Hello,

I upgraded one of our PA devices from 10.1.9 to 10.2.4-h4. LDAPS was configured to access and gather user's info from DC. But it stoped working after upgrade. I captured traffic and saw following error - TLS Handshake Failure. I know that starting version 10.2 Palo Alto Networks has changed requrements for certificates. I checked ours and looks like it meets minimal certifcate requerements (RSA2048, SHA256). Currently we use LDAP but I'd like to switch back to LDAPS.

I appreciate any help.

0 Likes Likes
4 REPLIES 4

ozheng
L4 Transporter

‎08-14-2023 08:29 PM

Hello M0tash,

 

Can you check the parameters of the certificate on the server side (LDAP server)?
Increase the security level of the certificate (for instance : number of bits to 4096 bits // digest SHA512) and check if this works.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes

m0tash
L1 Bithead
In response to ozheng

‎08-15-2023 06:13 AM - edited ‎08-15-2023 07:18 AM

Hello Oliver,

Thank you for advice.

I've already checked the cert on the DC and also tried to replace it by stronger cert (RSA3072 | SHA384), but with no luck.Your advice I checked too. There is a difference: in case the DC uses RSA2048 or RSA3072 cert, the NGFW sends RST packet right after "Server Hello" message, in other case when it uses RSA4096 - the DC sends RST packet right after Client Hello message. I'm going to check if it related on Microsoft OS version.

DM

0 Likes Likes

ozheng
L4 Transporter
In response to m0tash

‎08-15-2023 06:55 PM

Hello M0tash, 

 

I did not ask, but your management interface is initiating the traffic to the LDAPS servers or you are using a service route?

If you use the management interface, is the traffic passing through a firewall doing some decryption?

 

It can be interesting to capture the communication if you're opening a case to TAC (or the TAC engineer can also do the capture too).

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes

m0tash
L1 Bithead
In response to ozheng

‎08-16-2023 12:12 AM

Hello Oliver,

I checked it on my test enviroment too. Mgmt interface is used for communication to DC, there is no configured service route for that. Mgmt interface and DC are in same subnet, there is no additional FWs between devices. Ok, I'll try to open TAC.

Thank you!

0 Likes Likes
  • 1385 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks