[gnutls-help] issue with Windows 2008r2 Ldap

André Liechti andre at liechti.net
Tue Dec 29 19:15:39 CET 2015

Like other people, I had this issue, and I had to fix it as soon as possible.

I dug a little bit, I put the Windows 2012R2 server in debug mode for Schannel (https://support.microsoft.com/en-us/kb/260729), and I tried to bind using ldaps, with the following errors:
- An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
- A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Found on Microsoft forum:
"When OpenSSL establishes the connection to AD LDAP it sends its client cipher list, but TLSv1.2 allows for a longer cipher list than earlier versions, AD LDAP doesn't seem to accept this. When the longer list gets sent AD believes its a corrupted packet so drops the connection." (https://social.technet.microsoft.com/Forums/windows/en-US/b6ffa278-4a04-4609-ac35-8390f5ba9cb6/ldap-over-ssl-on-windows-2012r2-server-dcs-tls-12-not-working?forum=winserversecurity)

After disabling the TLS1.2 support, I was able to bind using ldaps:
-An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows.
- Protocol: TLS 1.1
- CipherSuite: 0x2F
- Exchange strength: 1024

I don't know exactly which cipher suite has a problem, but currently it's enough for me to work with TLS 1.1.


-----Message d'origine-----
De : n.mavrogiannopoulos at gmail.com [mailto:n.mavrogiannopoulos at gmail.com] De la part de Nikos Mavrogiannopoulos
Envoyé : mardi 29 décembre 2015 14:04
À : Hilitec
Cc : GnuTLS mailing list
Objet : Re: [gnutls-help] issue with Windows 2008r2 Ldap

On Mon, Dec 28, 2015 at 12:03 PM, Hilitec <andre at liechti.net> wrote:
> Seyeong Kim <seyeong.kim <at> canonical.com> writes:
>> Hello
>> I have an issue with gnutls ( maybe not ) and Windows 2008r2 Ldap 
>> when I tried to ldapsearch to windows ldap, I got below message
>> TLS: can't connect: A TLS packet with unexpected length was received..
>> there are two AD, 2008r2, 2012r2 and I could only see this error on 
>> 2012r2
> + ubuntu 14.xx combination
>> I checked gnutls version
>> libgnutls26 | 2.12.23-12ubuntu2.3
>> libgnutls-deb0-28 | 3.3.8-3ubuntu3   | vivid
>> Is there any commits I can refer to this issue?
>> I know there are large differences between two versions. so I need an advice.
> GnuTLS and SChannel (Microsoft) implementations are not (yet) 
> compatible for TLS 1.2 negotiation during AD/LDAPS binding.

That's the first time I see something like that. As far as I know schannel and gnutls are fully compatible with TLS 1.2. Is there any bug report or more information on that incompatibility that you mention?


More information about the Gnutls-help mailing list