www.cendio.com
Bug 4347 - Add support for TLS and protocol negotiation
: Add support for TLS and protocol negotiation
Status: CLOSED FIXED
: ThinLinc
rdesktop
: 3.4.0
: PC Unknown
: P2 Normal
: 4.0.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2012-06-20 12:22 by
Modified: 2012-11-28 12:35 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2012-06-20 12:22:43
This is a part of adding NLA (Network Level Authentication), kerberos 
support to rdesktop project.
------- Comment #1 From cendio 2012-06-20 12:25:49 -------
*** Bug 2554 has been marked as a duplicate of this bug. ***
------- Comment #2 From cendio 2012-06-20 12:27:05 -------
Commit r1659 in upstream project adds support for protocol negotiation 
and SSL/TLSv1.
------- Comment #3 From cendio 2012-06-20 12:38:56 -------
Tester should test rdesktop connections to old (windows xp) and
new Windows 2008R2 to verify seamless functionality.

If protocol negotiation is not supported a fallback using the
"old way" of connections is selected.

Also on the Windows2008R2 side you can choose to force use of SSL:

1. go to Server Manager->Remote Desktop Services->RD Session Host Configuration

2. doubleclick "RDP-tcp" connection item and on the general tab select
   "SSL (TLS 1.0)" value for security layer
------- Comment #4 From cendio 2012-06-26 11:07:54 -------
commit r1659, broke seamlessrdp functionality, even if i force
to use the fallback, plain RDP protocol which is strange..
------- Comment #5 From cendio 2012-06-29 08:39:34 -------
The breakage of seamless mode is related to a race isolated to
seamless_restack_test() which leaves xlib events which is not handled,
a fix upstream that waits for DestroyNotify solves the issue.

Fixed in upstream commit r1663
------- Comment #6 From cendio 2012-10-23 14:10:08 -------
Some initial testing with Windows Server 2003 R2. It does not have a cert by
default. As testing, I first tried the Go Daddy code signing cert. This does
not show up in the TS configuration, since it's not a server auth cert. Then, I
tried eudemo.thinlinc.com. Imported
/home/astrand/customers/cendio/eudemo/foo.p12. Then, when I'm connecting with
rdesktop, I get:


[astrand@scilla rdesktop]$ ./rdesktop dhcp-254-170 -u user1 -p user1
Autoselected keyboard map sv
WARNING: Remote desktop does not support colour depth 24; falling back to 16
ERROR: SSL_read: 5 (Förbindelse borttagen av partnern)
ERROR: SSL_read: 5 (Lyckat)
ERROR: SSL_read: 5 (Lyckat)
ERROR: SSL_write: 5 (Brutet rör)
ERROR: SSL_write: 1 (Lyckat)
139635676575592:error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write
retry:s3_pkt.c:826:
ERROR: SSL_write: 5 (Brutet rör)
ERROR: SSL_read: 5 (Lyckat)
ERROR: SSL_write: 1 (Lyckat)

So something is fishy, at least with with 2003.
------- Comment #7 From cendio 2012-10-23 14:56:11 -------
(gdb) bt
#0  0x0000003344ce4940 in __write_nocancel () at
../sysdeps/unix/syscall-template.S:82
#1  0x000000334dcaff15 in sock_write (b=0xa1a8f0, in=0xa29023 "\027\003\001",
inl=74) at bss_sock.c:158
#2  0x000000334dcadcf9 in BIO_write (b=0xa1a8f0, in=0xa29023, inl=74) at
bio_lib.c:247
#3  0x0000003352424fc2 in ssl3_write_pending (s=s@entry=0xa1a4f0,
type=type@entry=23, buf=<optimized out>, len=<optimized out>) at s3_pkt.c:837
#4  0x0000003352425444 in do_ssl3_write (s=s@entry=0xa1a4f0,
type=type@entry=23, buf=buf@entry=0x9ffcc0 "\003", len=<optimized out>, 
    create_empty_fragment=create_empty_fragment@entry=0) at s3_pkt.c:809
#5  0x00000033524255b3 in ssl3_write_bytes (s=0xa1a4f0, type=23, buf_=0x9ffcc0,
len=<optimized out>) at s3_pkt.c:604
#6  0x000000000041c0bb in tcp_send (s=0x6c2a60) at tcp.c:129
#7  0x000000000041cb86 in iso_send (s=<optimized out>) at iso.c:168
#8  0x000000000041d2e3 in mcs_send_to_channel (s=<optimized out>,
channel=channel@entry=1003) at mcs.c:333
#9  0x000000000041e509 in sec_send_to_channel (s=<optimized out>,
flags=<optimized out>, channel=channel@entry=1003) at secure.c:358
#10 0x000000000041e5da in sec_send (s=<optimized out>, flags=<optimized out>)
at secure.c:370
#11 0x000000000041f6a4 in rdp_send_data (s=<optimized out>,
data_pdu_type=data_pdu_type@entry=28 '\034') at rdp.c:174
#12 0x000000000041ff60 in rdp_send_input (time=time@entry=0,
message_type=message_type@entry=0, device_flags=device_flags@entry=0,
param1=<optimized out>, param2=param2@entry=0)
    at rdp.c:540
#13 0x0000000000420bec in process_demand_active (s=0x6c2ac0) at rdp.c:1060
#14 rdp_loop (deactivated=deactivated@entry=0x7fffffffd9a0,
ext_disc_reason=ext_disc_reason@entry=0x7fffffffd9a4) at rdp.c:1608
#15 0x000000000042163f in rdp_connect (server=server@entry=0x7fffffffda70
"dhcp-254-170", flags=flags@entry=59, domain=domain@entry=0x7fffffffdbd0 "", 
    password=password@entry=0x7fffffffdaf0 "user1",
command=command@entry=0x7fffffffdcd0 "",
directory=directory@entry=0x7fffffffddd0 "", reconnect=0) at rdp.c:1647
#16 0x0000000000406f82 in main (argc=<optimized out>, argv=<optimized out>) at
rdesktop.c:1006
------- Comment #8 From cendio 2012-10-29 09:06:26 -------
(In reply to comment #6)
> Some initial testing with Windows Server 2003 R2. It does not have a cert by
> default. As testing, I first tried the Go Daddy code signing cert. This does
> not show up in the TS configuration, since it's not a server auth cert. Then, I
> tried eudemo.thinlinc.com. Imported
> /home/astrand/customers/cendio/eudemo/foo.p12. Then, when I'm connecting with
> rdesktop, I get:
> 
> 
> [astrand@scilla rdesktop]$ ./rdesktop dhcp-254-170 -u user1 -p user1
> Autoselected keyboard map sv
> WARNING: Remote desktop does not support colour depth 24; falling back to 16
> ERROR: SSL_read: 5 (Förbindelse borttagen av partnern)
> ERROR: SSL_read: 5 (Lyckat)
> ERROR: SSL_read: 5 (Lyckat)
> ERROR: SSL_write: 5 (Brutet rör)
> ERROR: SSL_write: 1 (Lyckat)
> 139635676575592:error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write
> retry:s3_pkt.c:826:
> ERROR: SSL_write: 5 (Brutet rör)
> ERROR: SSL_read: 5 (Lyckat)
> ERROR: SSL_write: 1 (Lyckat)
> 
> So something is fishy, at least with with 2003.

This is fixed upstream in commit r1672 and is now vendor dropped and 
commited in r26082.
------- Comment #9 From cendio 2012-10-30 11:38:19 -------
Tests on Windows Server 2003 R2 x86:

Layer=RDP, Level=Low: 
Works but with warnings:
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.

Is this expected? (#1)


Layer=RDP, Level=Compatible:
As above. 


Layer=RDP, Level=High:
As above. 


Layer=RDP, Level=Fips:
Does not work:
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.
ERROR: recv: Förbindelse borttagen av partnern
ERROR: send: Brutet rör

Is this expected? (#2)


Layer=Nego, Level=Low:
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.

Same as #1. 


Layer=Nego, Level=Compatible:
Login ok, but after logout:
ERROR: SSL_read: 5 (Förbindelse borttagen av partnern)
ERROR: SSL_write: 5 (Brutet rör)

Is this expected? (#3)


Layer=Nego, Level=High:
As above. 


Layer=Nego, Level=Fips:
As above. 


Layer=SSL, Level=Compatible:
As above. 


Layer=SSL, Level=High:
As above. 


Layer=SSL, Level=Fips:
As above. 


Should any or all of the 3 problems above be solved now, or moved to later
bugs?
------- Comment #10 From cendio 2012-10-30 13:00:02 -------
http://support.microsoft.com/kb/811833

Beskriver FIPS med RDP, 

"
 - The RDP channel is encrypted by using the 3DES algorithm in Cipher Block
   Chaining (CBC) mode with a 168-bit key length.
 - The SHA-1 algorithm is used to create message digests.
 - Clients must use the RDP 5.2 client program or a later version to connect.
"
------- Comment #11 From cendio 2012-10-30 13:59:01 -------
(In reply to comment #9)
> WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
> (error 0x2),
> WARNING: retrying without negotiation using plain RDP protocol.
> 
> Is this expected? (#1)

Moved to bug 4451. 


> Layer=RDP, Level=Fips:
> Does not work:
> WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
> (error 0x2),
> WARNING: retrying without negotiation using plain RDP protocol.
> ERROR: recv: Förbindelse borttagen av partnern
> ERROR: send: Brutet rör
> 
> Is this expected? (#2)

As comment #10 points out, this is expected, since we do not support that
encryption. Not a regression. 


> Layer=Nego, Level=Compatible:
> Login ok, but after logout:
> ERROR: SSL_read: 5 (Förbindelse borttagen av partnern)
> ERROR: SSL_write: 5 (Brutet rör)
> 
> Is this expected? (#3)

Moved to bug 4452. 


Testing of 2008 R2 and XP remains.
------- Comment #12 From cendio 2012-10-30 14:22:46 -------
Tests on Windows Server 2008 R2 x64, default automatic cert:

Layer=RDP, Level=Low: 
Ok, warning about fallback. 


Layer=RDP, Level=Compatible:
Ok, warning about fallback. 


Layer=RDP, Level=High:
Ok, warning about fallback. 


Layer=RDP, Level=Fips:
Fails as expected. 


Layer=Nego, Level=Low:
Not allowed!


Layer=Nego, Level=Compatible:
Ok. 


Layer=Nego, Level=High:
Ok. 


Layer=Nego, Level=Fips:
Works, no warnings. 


Layer=SSL, Level=Compatible:
Works, no warnings. 


Layer=SSL, Level=High:
Works, no warnings. 


Layer=SSL, Level=Fips:
Works, no warnings. 

Also tried the eudemo cert, also works. 

Also tried enabling NLA enforcing. Then I got:

WARNING: RDP protocol negotiation failed with reason: hybrid authentication
(CredSSP) required by server (error 0x5),
WARNING: retrying without negotiation using plain RDP protocol.
ERROR: recv: Förbindelse borttagen av partnern

Fair enough. Closing.
------- Comment #13 From cendio 2012-11-07 17:32:29 -------
I think we got a regression while implementing this bug:

* Start client
* Log in to WTS with tl-run-windesk
* Resize client window

Expected behavior:
* Windows desktop resizes to the new client window size.
  This is the behavior of ThinLinc 3.4.0 (as on tl.cendio.se)

Actual behavior:
* rdesktop doesn't change size, the rdesktop window disappears and the
following error messages are displayed in the terminal.

$ tl-run-windesk
share name usbdisk0 truncated to usbdisk
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
(28x) /dev/dsp: Connection refused
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.
NOT IMPLEMENTED: PDU 13
ERROR: recv: Connection reset by peer
 Connection error: The connection to the Remote Desktop failed with error 76:
share name usbdisk0 truncated to usbdisk
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.
WARNING: Remote desktop does not support colour depth 24; falling back to 16
(28x) /dev/dsp: Connection refused
WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server
(error 0x2),
WARNING: retrying without negotiation using plain RDP protocol.
NOT IMPLEMENTED: PDU 13
ERROR: recv: Connection reset by peer
------- Comment #14 From cendio 2012-11-08 13:23:12 -------
(In reply to comment #13)

this is fixed upstream in commit 1673 and vendordrop commited in 26147.
------- Comment #15 From cendio 2012-11-12 13:09:52 -------
(In reply to comment #12)
> Tests on Windows Server 2008 R2 x64, default automatic cert:

I've repeated allt these tests, due to the license fix. Works as before. 

Wrt resizes, it has some problems, but opening up bug 4473 for this.