Hello,
We are trying to explore a new configuration and the below are the details.
Front end : avi load balancer
Back end : Ping directory
When we try establish the connection via "avi LB" with client certificate, we are getting error as " unable to decode message from client" from back ldap server.
Is their any other better way to pass the client certificate to LB ? Please let me know
Note:
At the AVI end MASSL is on and we are trying establish the connection with client certificate
Command:
ldapsearch --hostname <avi LB dns> --port 39636 --useSSL --keyStorePath ../keystore.new --keyStorePasswordFile ../keystore.pin --certNickName asuid --baseDN " " --searchScope base "(objectClass=*)"
Error from ldap server:
[10/Jun/2022:08:44:07.557 +0000] CONNECT instanceName="Hostname:636" threadID=430 conn=56423 from="1.1.1.1" fromPort=372 to="170.43.228.165" toPort=636 protocol="LDAP+TLS" clientConnectionPolicy="Default"
[10/Jun/2022:08:44:07.574 +0000] SECURITY-NEGOTIATION instanceName="Hostname:636" threadID=216 conn=56423 protocol="TLSv1.3" cipher="TLS_AES_128_GCM_SHA256" clientServerHandshakeTimeMillis="16.335" serverOnlyHandshakeTimeMillis="13.895"
[10/Jun/2022:08:44:07.646 +0000] DISCONNECT instanceName="Hostname:636" threadID=216 conn=56423 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: LDAPException(resultCode=2 (protocol error), errorMessage='Cannot decode the provided ASN.1 sequence as an LDAP message because the sequence contained an invalid number of elements (expected 2 or 3, got 1)', ldapSDKVersion=5.1.2, revision=420e41670eca6da60425a79cf400a49205397f61). Data from client: [readBytes=16 03 03 01 A1 unreadBytes=01 00 01 9D 03 03 07 C9 25 09 C0 9A 8E 22 6B 56 3A 24 2D 19 42 69 3D F6 64 D5 47 3A 2F 50 50 9D 75 10 A8 56 A5 AC 20 3B 6A 0C E7 DA 64 D0 93 FD 75 C5 D5 E0 19 ED 68 65 35 F5 E1 C3 3B 5A 84 54 F5 D5 F5 B5 DD 18 5A 00 42 13 02 13 01 C0 2C C0 2B C0 30 C0 2F 00 9F 00 A3 00 9E 00 A2 C0 24
Hello,
The Avi load balancer would not have the required client private key to sign with the client's certificate - so the only possible path to get load balancing to work here would be Layer 4 (TCP) with TLS passed to the back LDAP server.
If the LDAP server does not require the client certificate, it's possible to just use a normal server TLS profile and drop the client certificate at the service engine.