In Rocky Linux 8, SSSD fails to start with an error “Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”
Danila Vershinin
Operating System and Software
Rocky Linux 8
sssd
Problem
SSSD unable to work with ldaps.
SSSD fails to start with an error “Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol”
May 24 09:56:57 testsystem sssd[be[LDAP]][1234]: Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
How to Fix
This is expected in Rocky Linux 8 release. Refer the following documentation link for more details: 7.4. Security
This can be fixed by running following command on Rocky Linux 8 which switches the system-wide cryptographic policy to the LEGACY level to allow using the deprecated protocols.:
# update-crypto-policies --set LEGACY
Origin of the Problem
Following error could be seen due to reason that in Rocky Linux 8, TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT system-wide cryptographic policy level.
May 24 09:56:57 AIXJENKINSDEV01 sssd[be[LDAP]][2452]: Could not start TLS encryption. error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
