In Rocky Linux 8, SSSD fails to start with an error “Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”

Danila Vershinin

4 years ago

Operating System and Software

Rocky Linux 8
sssd

Problem

SSSD unable to work with ldaps.
SSSD fails to start with an error “Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”

May 24 09:56:57 testsystem sssd[be[LDAP]][1234]: Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

How to Fix

This is expected in Rocky Linux 8 release. Refer the following documentation link for more details: 7.4. Security
This can be fixed by running following command on Rocky Linux 8 which switches the system-wide cryptographic policy to the LEGACY level to allow using the deprecated protocols.:

# update-crypto-policies --set LEGACY

Origin of the Problem

Following error could be seen due to reason that in Rocky Linux 8, TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level.

May 24 09:56:57 AIXJENKINSDEV01 sssd[be[LDAP]][2452]: Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Exit mobile version