Getting connection reset when using LDAPS

When at the login page trying to auth via LDAPS, I get the following errors:

May 31 01:35:39 monitoring grafana-server[26224]: t=2017-05-31T01:35:39+0000 lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="LDAP Result Code 200 \"\": read tcp MY_IP:44532->AD_IP:636: read: connection reset by peer"
May 31 01:35:39 monitoring grafana-server[26224]: t=2017-05-31T01:35:39+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=192.168.60.1 time_ms=41 size=53

I’ve tried specifying my organization’s “root_ca_cert” but the error is the same with or without. Relevant ldap config:

[[servers]]
host = "MY_AD_SERVER"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false

On the AD server (Windows 2012 R2), the following errors are generated:

Event 36888, Schannel
"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205."

Event 36874, Schannel
"An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client are supported by the server. The SSL connection request has failed."

We use SHA-512 for the root CA certs, and I confirmed with IT that the necessary Windows updates have been applied that allow TLS 1.2 to work with SHA-512.

So here’s what’s confusing me. I can connect from the same machine via openssl without issue.

[vagrant@monitoring ~]$ openssl s_client -connect MY_AD:636
CONNECTED(00000003)
depth=2 C = US, O = REMOVED...
verify return:1
depth=1 C = US, O = REMOVED...
verify return:1
depth=0 
verify return:1
---
Certificate chain
REMOVED
---
Server certificate
REMOVED
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4746 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID-ctx: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1496195578
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Given that, why can’t Grafana connect? And how could I troubleshoot this further? For example, is there any way to get Grafana to show what cipher(s) it’s trying? LDAP logging is already set to debug, and I tried setting Grafana to debug level logging in general, but there wasn’t any extra output for LDAP. This is with Grafana 4.3.1 installed to CentOS 7 via the official repo.

This issue with another Go project seems possibly related. It also seems similar to this issue on Github.

Well, this feels really janky, but I am only able to get any encryption working using stunnel. I set Grafana for non-SSL LDAP authentication and pointed it at 127.0.0.1, then set up stunnel to listen on 389 and connect to my AD server on 636 via TLS v1.2. Packet captures with Wireshark show the password is not sent in plaintext to the AD server and the connection is TLS v1.2.

ldap.toml

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "127.0.0.1"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false

stunnel.conf

sslVersion = TLSv1.2

[ldap]
accept  = 389
connect = MY_AD:636
client = yes
1 Like

Hello, could you confirm that with STUNNEL is possible to reach the goal LDAPS?

My Grafana server is under Microsoft Server.
The Active directory is under Microsoft Domain Controller server.

And where are certificates for LDAPS?
And in which format?
In the environment, we use CA certificate authority server.

Is it possible to implement LDAPS between Domain Controller and Grafana Server under Microsoft environment with using STUNNEL?

Thank you in advance.

Hello, could you confirm that with STUNNEL is possible to reach the goal LDAPS?

My Grafana server is under Microsoft Server.
The Active directory is under Microsoft Domain Controller server.

And where are certificates for LDAPS?
And in which format?
In the environment, we use CA certificate authority server.

Is it possible to implement LDAPS between Domain Controller and Grafana Server under Microsoft environment with using STUNNEL?

Thank you in advance.