Is TLSv1.3 required on PBS 3.1 for LDAP authentication?

[f4242]

Hello,

I upgraded my first PBS server to 3.1 today. LDAP authentication is failing with that error :

Feb 6 15:35:40 backup-pbs backup-pbs proxmox-backup-api[762]: authentication failure; rhost=[::ffff:10.x.x.x]:44696 user=myuser@ldap msg=native TLS error: error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:893:

The LDAP backend is Samba on Ubuntu 16.04 ESM (yeah, I know, it needs upgrade!). Samba is logging: "A TLS fatal alert has been received".

I wonder if PBS 3.x now requires TLSv1.3. Is there a way to configure it to allow the use of TLSv1.2 until we upgrade our DCs? I looked inside /etc/proxmox-backup-server but didn't find anything.

Thanks.

 

[ggoller]

Hi!
PBS supports TLSv1.3 and TLSv1.2. The problem is that your ldap server has an older version of openssl which still supports legacy renegotiation, while PBS has it disabled.

Additional info here: https://github.com/openssl/openssl/issues/21296#issuecomment-1609397222
And the original bugreport here: https://bugzilla.proxmox.com/show_bug.cgi?id=3763

 

[f4242]

Thanks for the details! I guess it's just another reason to not delay the DC updates