Symptoms:

• After upgrading to Cloud Director 10.2.2 or later LDAPS connectivity failure is experienced.
• Network connectivity checks from the Cloud Director Cells to the domain controllers show no problems and the required network ports are open.
• When configuring a new LDAPS connection you see the following error displayed:

• In the vcloud-container-debug log you see errors similar to the following

VMware Cloud Director 10.x

For enhanced security Cloud Director 10.2.2 by default has four SSL ciphers enabled. This is a change from the previous releases where further SSL ciphers were enabled by default.

The four ciphers enabled are:
 
This LDAPS connectivity issue arises when the SSL certificate used is no longer able to find a compatible cipher to encrypt the connection.

Option 1) System administrators should consider replacing the current SSL certificate used for the LDAPS connection to ensure that a certificate compatible with the four cipher suites enabled by default is used.

Option 2) System administrators can use the cell management tool to explicitly enable other weaker supported cipher suites that are disabled by default if they wish. This can performed in a rolling fashion across the VCD Cells to avoid downtime.

The below example enables the configuration to match the default settings found in Cloud Director 10.2.1. 

1. SSH to the first Cloud Director Cell and use the Cell Management Tool to see the current configuration.

2. Change the configuration to match the default settings found in Cloud Director 10.2.1 using these two command.

3. Check the allowed cipher list is updated.

4. Restart the cell. 
5. Repeat steps 1 - 4 for each VCD Cell in the environment.

WARNING - The process above will enable the below ciphers which are weak and have known vulnerabilities to CBC (Cipher Block Chaining) and cipher suites that use non-randomized padding: