You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’m using matrix-synapse-ldap3 for almost four years now, and I’m somewhat familiar with the setup and configuration.
After setting up a new Matrix instance/server, and trying to recreate the working LDAP password_providers modules configuration, I’m experiencing some errors unfortunately, and I absolutely cannot figure out what the problem might be.
The LDAP connection is definitely working from this server; I tested this with ldapsearch as well as other applications/services than matrix-synapse(-ldap3) with the same LDAP configuration; I tested with TLS (Start_TLS) and with SSL (via LDAPS).
Here’s the relevant LDAP module configuration from the homeserver.yaml file:
This results in another error in the homeserver.log file, stating that there’s no ciphers available. Specifying ciphers in the Tls object, via e.g. ciphers: "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS", results in the same error (SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]) as above.
Here’s some package versions:
$ pip list | grep matrix
matrix-common 1.3.0
matrix-synapse 1.100.0
matrix-synapse-ldap3 0.3.0
$ pip list | grep SSL
pyOpenSSL 23.3.0
$ pip list | grep request
requests 2.31.0
$ pip list | grep urllib
urllib3 2.0.7
Maybe, hopefully, someone could help?
PS: It seems more and more that this problem is brought in via some dependencies; I was not able to pinpoint if it’s e.g. ldap3 or openssl, and I was not able to find any solution in other repositories’ issues or via search engine.
The text was updated successfully, but these errors were encountered:
# Python 3.10 seemingly introduces some problems(?) related to SSL/TLS,# hence we need some more configuration, at least for _our_ LDAP server#tls_options:
validate: falseversion: 5# that is "PROTOCOL_TLSv1_2"ciphers: "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS"
PS: I tested this very cipher string with TLS 1.1 before, and it didn’t work. The following nmap command helped me figuring out which TLS versions and ciphers are supported by the LDAP server, and therefore need to be specified for the client.
I’m using
matrix-synapse-ldap3
for almost four years now, and I’m somewhat familiar with the setup and configuration.After setting up a new Matrix instance/server, and trying to recreate the working LDAP
password_providersmodules configuration, I’m experiencing some errors unfortunately, and I absolutely cannot figure out what the problem might be.The LDAP connection is definitely working from this server; I tested this with
ldapsearch
as well as other applications/services than matrix-synapse(-ldap3) with the same LDAP configuration; I tested with TLS (Start_TLS) and with SSL (via LDAPS).Here’s the relevant LDAP module configuration from the
homeserver.yaml
file:Here’s an excerpt from the
homeserver.log
file:For testing, I disabled the certificate validation via
validate: false
intls_options
. This did not help.The README states that additional
tls_options
are supported which can be any key from the Tls object, which is why I tried settinge.g.version: "TLSv1"
orversion: "SSLv2"
version: 4
above (other versions were tested, too).This results in another error in the
homeserver.log
file, stating that there’s no ciphers available. Specifying ciphers in the Tls object, via e.g.ciphers: "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS"
, results in the same error (SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
) as above.Here’s some package versions:
Maybe, hopefully, someone could help?
PS: It seems more and more that this problem is brought in via some dependencies; I was not able to pinpoint if it’s e.g.
ldap3
oropenssl
, and I was not able to find any solution in other repositories’ issues or via search engine.The text was updated successfully, but these errors were encountered: