Bug#912206: freerdp2-x11: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-1

Kevin Locke kevin at kevinlocke.name
Mon Oct 29 08:34:54 GMT 2018

Package: freerdp2-x11
Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
Severity: normal

Dear Maintainer,

After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer
able to connect to a computer running Remote Desktop Services on Windows
Server 2008 R2 (with default settings as far as I am aware) using TLS
security.  Connection fails with the following messages:

    [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
    [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure

Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
the cause, I noticed that the server sends TCP RST in response to the
SSL Client Hello message.  After some trial and error, I determined that
this occurs whenever rsa_pkcs1_sha1 in not the offered signature
algorithms, which is the case for SECLEVEL=2 which is the default in the
libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this

    openssl s_client -connect

while this works:

    openssl s_client -cipher DEFAULT at SECLEVEL=1 -connect

For further confirmation that rsa_pkcs1_sha1 is responsible, this works:

    openssl s_client -cipher DEFAULT at SECLEVEL=1 -sigalgs rsa_pkcs1_sha1 -connect

while this fails:

    openssl s_client -cipher DEFAULT at SECLEVEL=1 -sigalgs RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 -connect

Applying this discovery, it is possible to make xfreerdp work using:

    xfreerdp /tls-ciphers:DEFAULT at SECLEVEL=1

However, since most users are unlikely to figure this out on their own,
I'd suggest calling SSL_CTX_set_security_level to set the security level
to 1 or improving the error message to suggest this workaround.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freerdp2-x11 depends on:
ii  libc6                 2.27-6
ii  libfreerdp-client2-2  2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libfreerdp2-2         2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libwinpr2-2           2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libx11-6              2:1.6.7-1
ii  libxcursor1           1:1.1.15-1
ii  libxext6              2:1.3.3-1+b2
ii  libxfixes3            1:5.0.3-1
ii  libxi6                2:1.7.9-1
ii  libxinerama1          2:1.1.4-1
ii  libxrandr2            2:1.5.1-1
ii  libxrender1           1:0.9.10-1
ii  libxv1                2:1.0.11-1

freerdp2-x11 recommends no packages.

freerdp2-x11 suggests no packages.

-- no debconf information

More information about the pkg-remote-team mailing list