This issue occurs due to the older, insecure TLS cipher suites being disabled in NSX 4.1, in the proton service. If the LDAP server is an older version that does not support the more secure cipher suites that NSX uses, connections may fail. LDAP servers must also support at least TLS version 1.2, or connections will fail. TLS versions 1.1 and earlier are now considered insecure and NSX does not support them by default.
- IDFW uses the proton service for connections and this issue can therefore lead to issues with IDFW.
- User login/logout events do not user proton, but a separate service and are not affected by the cipher suite change.
- LDAP server connection status uses the proton service and is therefore impacted by the cipher suite change.
Cipher suites now used by VMware NSX 4.1 and onwards:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Cipher suites used by previous versions of VMware NSX:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
The below packet capture shows the client hello from VMware NSX manager sending the two cipher suites: