diff --git a/components/docs-chef-io/content/automate/configuration.md b/components/docs-chef-io/content/automate/configuration.md index aeed02a47f..d72c8c7e1b 100644 --- a/components/docs-chef-io/content/automate/configuration.md +++ b/components/docs-chef-io/content/automate/configuration.md @@ -505,6 +505,41 @@ and then run `chef-automate config patch ` to deploy yo x_xss_protection = "0" ``` +### Legacy Cipher Support + +Automate Dex can be configured to support legacy RSA and 3DES ciphers to connect with an LDAP/SAML server through the Dex client. + +#### Supported Ciphers + +When legacy cipher support is enabled, the following ciphers are allowed: + +- TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C) +- TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D) +- TLS_RSA_WITH_AES_128_CBC_SHA (0x002F) +- TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) +- TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C) + +#### How to Enable Legacy Cipher Support + +Add the following section to your Automate configuration TOML: + +```toml +[dex.v1.sys.cipher] +enable_legacy_rsa = true +enable_legacy_3des = true +``` + +Set the following values: + +- `enable_legacy_rsa`: Enable legacy RSA key exchange ciphers. Set to true to enable. Default: false. +- `enable_legacy_3des`: Enable legacy 3DES ciphers. Set to true to enable. Default: false. + +When both are true, legacy RSA and 3DES ciphers are enabled (GODEBUG=tlsrsakex=1,tls3des=1). + +When one is true, that cipher type is enabled (GODEBUG=tlsrsakex=1 or GODEBUG=tls3des=1). + +When both are false or unset, legacy ciphers are not enabled (GODEBUG is unset). + ### Troubleshooting Common syntax errors may cause issues in configuration files: diff --git a/components/docs-chef-io/content/automate/ldap.md b/components/docs-chef-io/content/automate/ldap.md index ab04027a3e..ed62e7d54b 100644 --- a/components/docs-chef-io/content/automate/ldap.md +++ b/components/docs-chef-io/content/automate/ldap.md @@ -956,6 +956,20 @@ With an additional `group_query_filter`, the final filter is Note: if the user entry contains more than one `filter_groups_by_user_attr` attribute, multiple queries will be executed, and their results combined. +#### TLS Handshake Failure After Upgrade + +If you encounter errors like the following one after upgrading Chef Automate, and you can still authenticate using `ldapsearch` but not through Automate, your LDAP server may require legacy RSA or 3DES ciphers for TLS connections: + +``` +automate-dex.default(O): time="..." level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": remote error: tls: handshake failure" +``` + +**Solution:** + +Enable legacy cipher support in Automate Dex by following the instructions in the [Chef Automate Configuration Documentation: Legacy Cipher Support](https://docs.chef.io/automate/configuration/#legacy-cipher-support). + +This allows Automate Dex to connect to older LDAP servers using the required ciphers. See the configuration documentation for supported ciphers and step-by-step instructions. + #### Other Common Issues If a user, following a sign in through LDAP or SAML, sees a