VMware Networking Community
dinngap
Contributor
Contributor
‎06-13-2022 07:19 AM

AVI Lb MASSL issue

Hello,

We are trying to explore a new configuration and the below are the details.

 

Front end : avi load balancer

Back end : Ping directory

 

When we try establish the connection via "avi LB" with client certificate, we are getting error as " unable to decode message from client" from back ldap server.

 

Is their any other better way to pass the client certificate to LB ? Please let me know

Note:

At the AVI end  MASSL is on and we are trying establish the connection with client certificate 

Command:

ldapsearch --hostname <avi LB dns> --port 39636 --useSSL --keyStorePath ../keystore.new --keyStorePasswordFile ../keystore.pin --certNickName asuid --baseDN " " --searchScope base "(objectClass=*)"

 

Error from ldap server:

[10/Jun/2022:08:44:07.557 +0000] CONNECT instanceName="Hostname:636" threadID=430 conn=56423 from="1.1.1.1" fromPort=372 to="170.43.228.165" toPort=636 protocol="LDAP+TLS" clientConnectionPolicy="Default"

[10/Jun/2022:08:44:07.574 +0000] SECURITY-NEGOTIATION instanceName="Hostname:636" threadID=216 conn=56423 protocol="TLSv1.3" cipher="TLS_AES_128_GCM_SHA256" clientServerHandshakeTimeMillis="16.335" serverOnlyHandshakeTimeMillis="13.895"

[10/Jun/2022:08:44:07.646 +0000] DISCONNECT instanceName="Hostname:636" threadID=216 conn=56423 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: LDAPException(resultCode=2 (protocol error), errorMessage='Cannot decode the provided ASN.1 sequence as an LDAP message because the sequence contained an invalid number of elements (expected 2 or 3, got 1)', ldapSDKVersion=5.1.2, revision=420e41670eca6da60425a79cf400a49205397f61). Data from client: [readBytes=16 03 03 01 A1 unreadBytes=01 00 01 9D 03 03 07 C9 25 09 C0 9A 8E 22 6B 56 3A 24 2D 19 42 69 3D F6 64 D5 47 3A 2F 50 50 9D 75 10 A8 56 A5 AC 20 3B 6A 0C E7 DA 64 D0 93 FD 75 C5 D5 E0 19 ED 68 65 35 F5 E1 C3 3B 5A 84 54 F5 D5 F5 B5 DD 18 5A 00 42 13 02 13 01 C0 2C C0 2B C0 30 C0 2F 00 9F 00 A3 00 9E 00 A2 C0 24

0 Kudos
1 Reply
engyak
Enthusiast
Enthusiast
‎06-20-2022 08:13 AM

Hello,

The Avi load balancer would not have the required client private key to sign with the client's certificate - so the only possible path to get load balancing to work here would be Layer 4 (TCP) with TLS passed to the back LDAP server.

If the LDAP server does not require the client certificate, it's possible to just use a normal server TLS profile and drop the client certificate at the service engine.

0 Kudos