Solutions

In Rocky Linux 8, SSSD fails to start with an error “Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”

by ,


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Operating System and Software

  • Rocky Linux 8
  • sssd

Problem

  • SSSD unable to work with ldaps.
  • SSSD fails to start with an error “Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”
May 24 09:56:57 testsystem sssd[be[LDAP]][1234]: Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

How to Fix

  • This is expected in Rocky Linux 8 release. Refer the following documentation link for more details: 7.4. Security
  • This can be fixed by running following command on Rocky Linux 8 which switches the system-wide cryptographic policy to the LEGACY level to allow using the deprecated protocols.:
# update-crypto-policies --set LEGACY

Origin of the Problem

  • Following error could be seen due to reason that in Rocky Linux 8, TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level.
May 24 09:56:57 AIXJENKINSDEV01 sssd[be[LDAP]][2452]: Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: