In this blog post we will talk about a potential impact to some LDAPS installation after upgrading NSX to version 4.1.
In NSX version 4.1 support for old TLS cipher suites have been removed, while this may be a good step to enforce stronger security measures there still are servers which do not support newer cipher suites. If you have a very old version of LDAPS server you may notice that while your existing LDAPS users are working fine, you may face issues while running Connection Status check to LDAPS server from NSX manager UI and you can observe following error if you try to re-add LDAPS server.
“Error: Unable to obtain server certificate. Communication error. Verify that the IP address/hostname, port, and other parameters are correct. (Error code: 53000).
Below is a screenshot of packet capture from NSX manager running version 4.1, notice that is is only offering 2 Cipher Suites in Client Hello.
Now let’s take a look at client hello from NSX version 3.2 for comparison. We can see that it supports 12 Cipher Suites.
If you have an old LDAPS server that is not working after upgrading NSX to version 4.1 it is worthwhile to check if you are running into this issue. Since CBC cipher suites are vulnerable to attacks so it is better to switch to more secure LDAPS server that supports GCM cipher suites.