cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
440
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

Currently working on updating our ironport to use LDAPS on port 3269. Currently it's just using regular LDAP on port 389. We have 2 LDAPS servers and the first succeeds when using the Start Test button but getting an error for the 2nd server. Any advice? Below is the error:

 

 

Checking connectivity of LDAP Server(s)...
Success: Server 'IP.OF.SERVER.1' responding to queries on port 3269.
Failure: Queries to server 'IP.OF.SERVER.2' on port 3269 failed :
Inquiry timed out: SSL Error: (336122170, 'error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters')

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

Hello ViscOtter,

 

Check the following:-

CLI> sslconfig

Disabling SSLv3 is recommended for best security.

Note that the SSL/TLS service on remote servers may require that the selected TLS versions be sequential. So to avoid communications errors, always select a contiguous set of versions for
each service. For example, do not enable TLS 1.0 and 1.2, while leaving TLS 1.1 disabled.

Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> ecdhe

ECDHE cipher status is currently enabled in LDAP. Do you want to disable it? [N]> 

 

You need to disable the above.

 

If this doesn't resolve, take a pcap and compare the working an non working scenarios, check cipher suites in client hello. check if the cipher suites are different.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

 

 

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

Hello  ViscOtter,

 

You seem to be hitting a bug. Though it doesn't mention the newer versions, please try to disable the ECDH ciphers on the WSA and the LDAP server and try again.

 

you can match the ciphers on the LDAPS cipher( that is working fine )

 

bug link: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus45109

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

Highlighted
Beginner

Re: Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

We're on:  10.1.4-017

 

How can I disable ECDH ciphers on the WSA for LDAPS? Under System Administration > SSL Configuration, I only see ciphers to use for Proxy Services. The only options for LDAPS is TLS 1.0 and SSL 3.0

 

Also, our LDAPS servers are 2012R2 and 2016. This bug is happening on the 2016 server.

Highlighted
Cisco Employee

Re: Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

Hello ViscOtter,

 

Check the following:-

CLI> sslconfig

Disabling SSLv3 is recommended for best security.

Note that the SSL/TLS service on remote servers may require that the selected TLS versions be sequential. So to avoid communications errors, always select a contiguous set of versions for
each service. For example, do not enable TLS 1.0 and 1.2, while leaving TLS 1.1 disabled.

Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> ecdhe

ECDHE cipher status is currently enabled in LDAP. Do you want to disable it? [N]> 

 

You need to disable the above.

 

If this doesn't resolve, take a pcap and compare the working an non working scenarios, check cipher suites in client hello. check if the cipher suites are different.

 

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

 

 

 

View solution in original post

Highlighted
Beginner

Re: Cisco S170 - LDAPS failed with SSL3_GET_KEY_EXCHANGE

I did the below and double checked it said "ECDHE cipher status is disabled in LDAP":


Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> ecdhe

ECDHE cipher status is enabled in LDAP

Please select an option to change ECDHE cipher status:
- 1 - Toggle ECDHE cipher status in LDAP
[]> 1

 

I also checked the client hello and both servers give the below whether I change the above setting or not:

TLSCipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0,0x14 }

 

 

The only thing I didn't try was rebooting the WSA after I made that change because I would need to wait til after hours.

 

 

EDIT: Nevermind, your solution worked. I forgot one important step.. commit in cli.. oops. Thanks for all the help!