Active Directory plugin warning: TLS is not correctly configured

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Active Directory plugin warning: TLS is not correctly configured

Andreas Goeb
Dear fellow Jenkins users,

I came across an issue today that I just cannot figure out myself. I hope this is the correct place to ask for help.

*Problem:*

After some connection issues with Active Directory and following reconfiguration, Jenkins now shows the warning „TLS is not correctly configured on Active Directory plugin.Please, change to a more secured option;"

*Environment:*

When the issue occurred for the first time this morning, I was using Jenkins 2.150.2 with Active Directory plugin 2.11 and the following settings

- StartTLS: true
- TRUST_ALL_CERTIFICATES

*What I did so far:*

I thought the reason for the warning might be the TRUST_ALL_CERTIFICATES option, so I tried to disable it. However, it is not shown in the Global Security settings anymore, nor is it contained in the settings.xml file. So, I followed the plugin's documentation wiki page and performed the following steps for proper TLS/LDAPS configuration:

- set the hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true system property
- change the domain controller port in the plugin’s settings to 3269
- copy the JVM’s „cacerts" trust store and import the server certificate into the copy
- set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties to point to the copy
- configure a custom logger for ActiveDirectorySecurityRealm and log level FINER

The log now shows successful LDAPS connections over port 3269, and users can log in. However, the warning about insecure TLS configuration is still shown.

Does any of you know what the reason for the warning may be and which configuration I might still have to change?

Thanks a lot,
Andreas

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/E6917DCF-823F-4DBD-A11E-7B8B1545D2A8%40goeb.org.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory plugin warning: TLS is not correctly configured

wfollonier
Hello Andreas,

Thank you for the report on such issue. I created https://issues.jenkins-ci.org/browse/JENKINS-56047 for you. Normally for bug or weird behavior, you can just create a ticket in the JENKINS project.

We will try to provide a correction ASAP.

Wadeck

On Tuesday, January 29, 2019 at 11:17:12 PM UTC+1, Andreas Goeb wrote:
Dear fellow Jenkins users,

I came across an issue today that I just cannot figure out myself. I hope this is the correct place to ask for help.

*Problem:*

After some connection issues with Active Directory and following reconfiguration, Jenkins now shows the warning „TLS is not correctly configured on Active Directory plugin.Please, change to a more secured option;"

*Environment:*

When the issue occurred for the first time this morning, I was using Jenkins 2.150.2 with Active Directory plugin 2.11 and the following settings

- StartTLS: true
- TRUST_ALL_CERTIFICATES

*What I did so far:*

I thought the reason for the warning might be the TRUST_ALL_CERTIFICATES option, so I tried to disable it. However, it is not shown in the Global Security settings anymore, nor is it contained in the settings.xml file. So, I followed the plugin's documentation wiki page and performed the following steps for proper TLS/LDAPS configuration:

- set the hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true system property
- change the domain controller port in the plugin’s settings to 3269
- copy the JVM’s „cacerts" trust store and import the server certificate into the copy
- set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties to point to the copy
- configure a custom logger for ActiveDirectorySecurityRealm and log level FINER

The log now shows successful LDAPS connections over port 3269, and users can log in. However, the warning about insecure TLS configuration is still shown.

Does any of you know what the reason for the warning may be and which configuration I might still have to change?

Thanks a lot,
Andreas

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c3f9ccec-e213-4aaf-a011-265c3eb3ce26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory plugin warning: TLS is not correctly configured

Brian Ray
In reply to this post by Andreas Goeb
Regarding the TRUST_ALL_CERTIFICATES option disappearing from the Global Security settings: If your master is on Windows you might have run into JENKINS-56224. We did so on a recent upgrade to from AD ~2.10 to AD 2.12. Though the underlying setting was still present in the settings file.

On Tuesday, January 29, 2019 at 2:17:12 PM UTC-8, Andreas Goeb wrote:
Dear fellow Jenkins users,

I came across an issue today that I just cannot figure out myself. I hope this is the correct place to ask for help.

*Problem:*

After some connection issues with Active Directory and following reconfiguration, Jenkins now shows the warning „TLS is not correctly configured on Active Directory plugin.Please, change to a more secured option;"

*Environment:*

When the issue occurred for the first time this morning, I was using Jenkins 2.150.2 with Active Directory plugin 2.11 and the following settings

- StartTLS: true
- TRUST_ALL_CERTIFICATES

*What I did so far:*

I thought the reason for the warning might be the TRUST_ALL_CERTIFICATES option, so I tried to disable it. However, it is not shown in the Global Security settings anymore, nor is it contained in the settings.xml file. So, I followed the plugin's documentation wiki page and performed the following steps for proper TLS/LDAPS configuration:

- set the hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true system property
- change the domain controller port in the plugin’s settings to 3269
- copy the JVM’s „cacerts" trust store and import the server certificate into the copy
- set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties to point to the copy
- configure a custom logger for ActiveDirectorySecurityRealm and log level FINER

The log now shows successful LDAPS connections over port 3269, and users can log in. However, the warning about insecure TLS configuration is still shown.

Does any of you know what the reason for the warning may be and which configuration I might still have to change?

Thanks a lot,
Andreas

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b270a75b-a06d-417d-a9c3-ac9e32d3f626%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.