Bug#860890: needs ssl-cert membership, does not report the error

Marc Haber mh+debian-packages at zugschlus.de
Fri Apr 21 12:38:50 UTC 2017 

Package: xrdp
Version: 0.9.1-7
Severity: normal

Hi,

I have recently tried to use xrdp with TLS. With delight, I saw that the
package already comes with the normal snake oil certs configured, so I
went ahead and set security_layer=tls in xrdrp.ini, only to find myself
unable to connect any more.

xrdp's log entries are inconclusive:
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42286
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Security layer: requested 3, selected 1
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42288
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Security layer: requested 1, selected 1
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42290
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Security layer: requested 0, selected 1
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener

After seeing that xrdp is not running as root, I addusered xrdp to
ssl-cert on a hunch, which solved the issue.

At the very least, it should be mentioned in README.Debian that to use
SSL one needs to add the xrdp user to ths ssl-cert group. Ideally, xrdp
would also complain in the logs when it is unable to open the ssl
private key file.

Please also think about documenting whether security_layer=tls will
force TLS to be used or whether a fallback to a lesser security layer
will occur. It would also be nice it the meaning of "Security layer:
requested 0, selected 1" was documented.

Greetings
Marc

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xrdp depends on:
ii  adduser              3.115
ii  init-system-helpers  1.47
ii  libc6                2.24-10
ii  libfuse2             2.9.7-1
ii  libjpeg62-turbo      1:1.5.1-2
ii  libopus0             1.2~alpha2-1
ii  libpam0g             1.1.8-3.5
ii  libssl1.1            1.1.0e-1
ii  libx11-6             2:1.6.4-3
ii  libxfixes3           1:5.0.3-1
ii  libxrandr2           2:1.5.1-1
ii  lsb-base             9.20161125
ii  ssl-cert             1.0.38

Versions of packages xrdp recommends:
ii  fuse      2.9.7-1
ii  xorgxrdp  0.9.1-7

Versions of packages xrdp suggests:
pn  guacamole  <none>

Versions of packages xorgxrdp depends on:
ii  libc6                                  2.24-10
pn  xorg-input-abi-24                      <none>
ii  xserver-xorg-core [xorg-video-abi-23]  2:1.19.3-1

Versions of packages xorgxrdp recommends:
ii  xorg  1:7.7+18

Versions of packages xrdp is related to:
pn  vnc-server           <none>
pn  xserver-xorg-legacy  <none>

More information about the pkg-remote-team mailing list