Bug#912206: freerdp2-x11: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-1

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Mon Oct 29 14:13:26 GMT 2018 

Hi,

On  Mo 29 Okt 2018 09:34:54 CET, Kevin Locke wrote:

> Package: freerdp2-x11
> Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
> Severity: normal
>
> Dear Maintainer,
>
> After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer
> able to connect to a computer running Remote Desktop Services on Windows
> Server 2008 R2 (with default settings as far as I am aware) using TLS
> security.  Connection fails with the following messages:
>
>     [ERROR][com.freerdp.core] - freerdp_set_last_error  
> ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
>     [ERROR][com.freerdp.core.connection] - Error: protocol security  
> negotiation or connection failure
>
> Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
> the cause, I noticed that the server sends TCP RST in response to the
> SSL Client Hello message.  After some trial and error, I determined that
> this occurs whenever rsa_pkcs1_sha1 in not the offered signature
> algorithms, which is the case for SECLEVEL=2 which is the default in the
> libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this
> fails:
>
>     openssl s_client -connect 192.168.0.2:3389
>
> while this works:
>
>     openssl s_client -cipher DEFAULT at SECLEVEL=1 -connect 192.168.0.2:3389
>
> For further confirmation that rsa_pkcs1_sha1 is responsible, this works:
>
>     openssl s_client -cipher DEFAULT at SECLEVEL=1 -sigalgs  
> rsa_pkcs1_sha1 -connect 192.168.0.2:3389
>
> while this fails:
>
>     openssl s_client -cipher DEFAULT at SECLEVEL=1 -sigalgs  
> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 -connect  
> 192.168.0.2:3389
>
> Applying this discovery, it is possible to make xfreerdp work using:
>
>     xfreerdp /tls-ciphers:DEFAULT at SECLEVEL=1
>
> However, since most users are unlikely to figure this out on their own,
> I'd suggest calling SSL_CTX_set_security_level to set the security level
> to 1 or improving the error message to suggest this workaround.
>
> Thanks,
> Kevin

Bernhard from FreeRDP upstream has started working on this and we will  
likely provide patches next week.

So, please stay tuned + thanks for reporting this. The problem is  
caused by system-wide openssl default settings that have changed  
between those two referenced openssl versions. We will try to pin  
things down in FreeRDP, so that system-wide defaults don't apply  
anymore for FreeRDP.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-remote-team/attachments/20181029/b3c99735/attachment.sig>

More information about the pkg-remote-team mailing list