Since bug 4347, rdesktop supports TLS. However, we have only implemented the encryption part of it. As MS says at http://technet.microsoft.com/en-us/library/cc782610.aspx:
"TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications."
For reference, Microsofts client complains about bad certificates by default. Tested on Windows 8 (both an independent machine, and one joined to the same domain as the WTS).
Hah. Full marks to Microsoft. The certificate check is done _after_ you send the password to the server. At which point you're already screwed.
Noticed this on the Windows 8 machine where it told me I gave the wrong password and I had to reenter it. Only after I entered the correct one would it present me with the "bad cert" dialog.
Hopefully the protocol isn't this broken and we can do better.
Another data point from mstsc: If it authenticates the server using Kerberos, then it won't present the user with a dialog that the certificate is bad.
rdesktop (and associated tools) is being removed from the ThinLinc product.