Bug#856436: xrdp: client is not connecting when security_layer=tls

Tue Mar 7 10:17:21 UTC 2017

Hi Jacco, Dominik, and other maintainers,

I am an upstream xrdp developer. I also encountered this issue.
If my issue and your issue is same, probably the reason you can't connect is
certificate's private key is not accessible byxrdp daemon. Please check your
private key permission.

In Debian, xrdp daemon is executed by xrdp user privilege. However,
certificate's
private key is not accessible by xrdp user.

Possible solutions are:
- Adjust permission/owner of private key file to be accessible from xrdp
user
- Add xrdp user to ssl-cert group

IMHO, the second solution is better.

Here's my xrdp process and certificate, private key like.

$ ps u $(pgrep ^xrdp$)
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
xrdp      2477  0.0  0.2  24020  2180 ?        S    18:36   0:00
/usr/sbin/xrdp

$ ls -l /etc/xrdp
total 268
lrwxrwxrwx 1 root root    36 Mar  7 18:22 cert.pem ->
/etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root    38 Mar  7 18:22 key.pem ->
/etc/ssl/private/ssl-cert-snakeoil.key

# ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key
-rw-r--r-- 1 root root      997  3月  7 18:09
/etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r----- 1 root ssl-cert 1704  3月  7 18:09
/etc/ssl/private/ssl-cert-snakeoil.key <- HERE'S A PROBLEM

On Wed, 01 Mar 2017 01:56:55 +0100 Jacco Kwaaitaal <
j.j.b.kwaaitaal at mindfruit.nl> wrote:
> Package: xrdp
> Version: 0.9.1-7
> Severity: normal
>
> Dear Maintainer,
>
> If in xrdp.ini the option security_layer=tls is configured, a client is
not
> able to connect.
>
> E.g. on the client-side using rdesktop the following error is displayed:
> 140464326739656:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:348:
> Failed to connect, SSL required by server.
>
> The xrdp.log shows:
> [20170301-01:31:33] [INFO ] A connection received from: -X- port 53758
> [20170301-01:31:33] [DEBUG] Closed socket 12 (AF_INET6 -X- port 3389)
> [20170301-01:31:33] [DEBUG] Closed socket 11 (AF_INET6 -X- port 3389)
> [20170301-01:31:33] [INFO ] Using default X.509 certificate:
/etc/xrdp/cert.pem
> [20170301-01:31:33] [INFO ] Using default X.509 key file:
/etc/xrdp/key.pem
> [20170301-01:31:33] [DEBUG] Security layer: requested 1, selected 1
> [20170301-01:31:33] [DEBUG] Closed socket 12 (AF_INET6 -X- port 3389)
> [20170301-01:31:33] [ERROR] Listening socket is in wrong state,
terminating listener
>
> I have tried the option disableSSLv3=true, but that doesn't make any
difference.
> Other clients (remmina, xfreerdp, windows remote desktop client) won't
work either.
> The cert/key-files have umask 600 owned by root.
> I have tried to explicitly choose non-SSLv3 ciphers with the option
> tls_ciphers=HIGH:-SSLv3, but that didn't work.
>
> It should be possible to reproduce this with a standard Stretch
installation.
>
> Best regards,
> Jacco
>
> -- System Information:
> Debian Release: 9.0
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-1-amd64 (SMP w/6 CPU cores)
> Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages xrdp depends on:
> ii  adduser              3.115
> ii  init-system-helpers  1.47
> ii  libc6                2.24-9
> ii  libfuse2             2.9.7-1
> ii  libjpeg62-turbo      1:1.5.1-2
> ii  libopus0             1.2~alpha2-1
> ii  libpam0g             1.1.8-3.5
> ii  libssl1.1            1.1.0e-1
> ii  libx11-6             2:1.6.4-3
> ii  libxfixes3           1:5.0.3-1
> ii  libxrandr2           2:1.5.1-1
> ii  lsb-base             9.20161125
> ii  ssl-cert             1.0.38
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-remote-team/attachments/20170307/8ad90574/attachment.html>