LDAP handshake failure from version 2.11

[dajose]

Starting on version 2.11 I can't connect to ldaps, it works with the exact same configuration on version 2.10.2

Expected behavior and actual behavior:

• The expected behavior is to be able to use my company ldaps server as auth mechanism, using the exact same parameters it works on version 2.10.2
• The current behavior is that on 2.11.0 I get an error when testing the ldap connection saying Failed to verify LDAP server with error: error: ldap server network timeout. and the core logs report:

2024-07-03T17:50:12Z [WARNING] [/core/auth/ldap/ldap.go:62]: ldap connection fail: LDAP Result Code 200 "Network Error": remote error: tls: handshake failure
2024-07-03T17:50:12Z [ERROR] [/core/controllers/base.go:101]: Error occurred in UserLogin: LDAP Result Code 200 "Network Error": remote error: tls: handshake failure

Steps to reproduce the problem:
Upgrade harbor from 2.10.2 to 2.11.0, and configure LDAP auth

Versions:
Please specify the versions of following systems.

• harbor version: 2.11.0
• helm chart version: 1.15.0

[DENISKI]

The same issue.
2024-07-04T17:20:48Z [WARNING] [/core/auth/ldap/ldap.go:62]: ldap connection fail: LDAP Result Code 200 "Network Error": remote error: tls: handshake failure 2024-07-04T17:20:48Z [ERROR] [/core/controllers/base.go:101]: Error occurred in UserLogin: LDAP Result Code 200 "Network Error": remote error: tls: handshake failure

[wy65701436]

What's your AD? And the version of your AD?
It supposed to be caused by go-gitea/gitea#31228.

[stonezdj]

@dajose @DENISKI You could try this workaround:

Update common/config/core/env, add an environment variable

GODEBUG="tlsrsakex=1"

Restart Harbor and try connect LDAP again.

[vaz-ar]

@dajose @DENISKI You could try this workaround:

Update common/config/core/env, add an environment variable

GODEBUG="tlsrsakex=1"

Restart Harbor and try connect LDAP again.

Any idea where to put that to make it persistent ? If I run the harbor install.sh script again after modifying common/config/core/env, the file is overwritten

[dajose]

@dajose @DENISKI You could try this workaround:

Update common/config/core/env, add an environment variable

GODEBUG="tlsrsakex=1"

Restart Harbor and try connect LDAP again.

@stonezdj thanks for that workaround. I confirm it works with that set.

I had some trouble understanding the issue @wy65701436 pointed out. Does it says that now tls 1.2 support is disabled by default on the golibrary used to perform the connection?

@vaz-ar I can't answer yours, because I am using harbor via a helm installation. So in my case I edited the values files adding it to the "extraEnvVars" field under core.

[stonezdj]

Golang 1.22 still supports tls 1.2, but it removed some weak TLS cipher suites that start with TLS_RSA_*.

[stonezdj]

@dajose @DENISKI You could try this workaround:
Update common/config/core/env, add an environment variable

GODEBUG="tlsrsakex=1"

Restart Harbor and try connect LDAP again.

Any idea where to put that to make it persistent ? If I run the harbor install.sh script again after modifying common/config/core/env, the file is overwritten

You should manually update the env file after run ./install.sh

[dajose]

Golang 1.22 still supports tls 1.2, but it removed some weak TLS cipher suites that start with TLS_RSA_*.

Thanks for explaining it to me.

That being the case, I am ok with closing this issue