Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎10-08-2019 06:15 AM

Article Id 195418

Technical Tip: LDAP error message with 'error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol'

Description
This article explains how to fix the issue when FortiGate unit has authentication setting with LDAP and gets the error message below:

'error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol'
[934] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).



Solution
When the LDAP setting is in the FortiGate unit and it can not authenticate with LDAP server properly, run the following CLI commands to check:
# diagnose debug disable
# diagnose debug reset
# diagnose debug application fnbamd -1
# diagnose debug enable
# diagnose test authserver ldap  <servername>  <username>  <password>
In case:
- LDAP setting on FortiGate is correct, but FortiGate unit can not authenticate with LDAP server properly.
- After an upgrade of the firmware version to be v6.0.2 and above and there is a LDAP authentication issue

Run the following CLI commands to check:
# diagnose debug disable
# diagnose debug reset
# diagnose debug application fnbamd -1
# diagnose debug enable
# diagnose test authserver ldap  <servername>  <username>  <password>
There is an issue when below message show up:
“error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”
From the full message:
[934] __ldap_connect-tcps_connect(x.x.x.x) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).

Example of logs.
[1139] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server 'TEST24' for usergroup 'VPN-Degaudenz-C3-GR' (12)
[1607] fnbamd_ldap_init-search filter is: sAMAccountName=testUser
[1616] fnbamd_ldap_init-search base is: dc=testgroup,dc=local
[991] __fnbamd_ldap_dns_cb-Resolved TEST24 (idx 0) to 10.10.24.15
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[556] create_auth_session-Total 1 server(s) to try
[214:root:c2]fam_auth_send_req_internal:453 fnbam_auth return: 4
[934] __ldap_connect-tcps_connect(10.10.24.5) failed: ssl_connect() failed: 5 (error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol).
[770] __ldap_try_next_server-LDAP TEST24' conn failed, svr: 10.10.24.5.
[736] __ldap_error-
[725] __ldap_stop-svr ‘TEST24’

SOLUTION:

1) To fix this issue, run the following CLI commands on FortiGate unit:
#config system global
set ssl-min-proto-version TLSv1
end
Or configure minimum ssl version following LDAP server with:
#config system global
set ssl-min-proto-version <version>
end
Version
SSLv3      SSLv3.
TLSv1      TLSv1.
TLSv1-1    TLSv1.1.
TLSv1-2    TLSv1.2.
2) Check SSL minimum proto version on FortiGate unit with:
config system global
get
And check under:
ssl-min-proto-version:

2.1) Then configure SSL minimum proto version at LDAP server to be the same as FortiGate unit.

Labels:
4647
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.