This is a part of adding NLA (Network Level Authentication), kerberos support to rdesktop project.
*** Bug 2554 has been marked as a duplicate of this bug. ***
Commit r1659 in upstream project adds support for protocol negotiation and SSL/TLSv1.
Tester should test rdesktop connections to old (windows xp) and new Windows 2008R2 to verify seamless functionality. If protocol negotiation is not supported a fallback using the "old way" of connections is selected. Also on the Windows2008R2 side you can choose to force use of SSL: 1. go to Server Manager->Remote Desktop Services->RD Session Host Configuration 2. doubleclick "RDP-tcp" connection item and on the general tab select "SSL (TLS 1.0)" value for security layer
commit r1659, broke seamlessrdp functionality, even if i force to use the fallback, plain RDP protocol which is strange..
The breakage of seamless mode is related to a race isolated to seamless_restack_test() which leaves xlib events which is not handled, a fix upstream that waits for DestroyNotify solves the issue. Fixed in upstream commit r1663
Some initial testing with Windows Server 2003 R2. It does not have a cert by default. As testing, I first tried the Go Daddy code signing cert. This does not show up in the TS configuration, since it's not a server auth cert. Then, I tried eudemo.thinlinc.com. Imported /home/astrand/customers/cendio/eudemo/foo.p12. Then, when I'm connecting with rdesktop, I get: [astrand@scilla rdesktop]$ ./rdesktop dhcp-254-170 -u user1 -p user1 Autoselected keyboard map sv WARNING: Remote desktop does not support colour depth 24; falling back to 16 ERROR: SSL_read: 5 (Förbindelse borttagen av partnern) ERROR: SSL_read: 5 (Lyckat) ERROR: SSL_read: 5 (Lyckat) ERROR: SSL_write: 5 (Brutet rör) ERROR: SSL_write: 1 (Lyckat) 139635676575592:error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry:s3_pkt.c:826: ERROR: SSL_write: 5 (Brutet rör) ERROR: SSL_read: 5 (Lyckat) ERROR: SSL_write: 1 (Lyckat) So something is fishy, at least with with 2003.
(gdb) bt #0 0x0000003344ce4940 in __write_nocancel () at ../sysdeps/unix/syscall-template.S:82 #1 0x000000334dcaff15 in sock_write (b=0xa1a8f0, in=0xa29023 "\027\003\001", inl=74) at bss_sock.c:158 #2 0x000000334dcadcf9 in BIO_write (b=0xa1a8f0, in=0xa29023, inl=74) at bio_lib.c:247 #3 0x0000003352424fc2 in ssl3_write_pending (s=s@entry=0xa1a4f0, type=type@entry=23, buf=<optimized out>, len=<optimized out>) at s3_pkt.c:837 #4 0x0000003352425444 in do_ssl3_write (s=s@entry=0xa1a4f0, type=type@entry=23, buf=buf@entry=0x9ffcc0 "\003", len=<optimized out>, create_empty_fragment=create_empty_fragment@entry=0) at s3_pkt.c:809 #5 0x00000033524255b3 in ssl3_write_bytes (s=0xa1a4f0, type=23, buf_=0x9ffcc0, len=<optimized out>) at s3_pkt.c:604 #6 0x000000000041c0bb in tcp_send (s=0x6c2a60) at tcp.c:129 #7 0x000000000041cb86 in iso_send (s=<optimized out>) at iso.c:168 #8 0x000000000041d2e3 in mcs_send_to_channel (s=<optimized out>, channel=channel@entry=1003) at mcs.c:333 #9 0x000000000041e509 in sec_send_to_channel (s=<optimized out>, flags=<optimized out>, channel=channel@entry=1003) at secure.c:358 #10 0x000000000041e5da in sec_send (s=<optimized out>, flags=<optimized out>) at secure.c:370 #11 0x000000000041f6a4 in rdp_send_data (s=<optimized out>, data_pdu_type=data_pdu_type@entry=28 '\034') at rdp.c:174 #12 0x000000000041ff60 in rdp_send_input (time=time@entry=0, message_type=message_type@entry=0, device_flags=device_flags@entry=0, param1=<optimized out>, param2=param2@entry=0) at rdp.c:540 #13 0x0000000000420bec in process_demand_active (s=0x6c2ac0) at rdp.c:1060 #14 rdp_loop (deactivated=deactivated@entry=0x7fffffffd9a0, ext_disc_reason=ext_disc_reason@entry=0x7fffffffd9a4) at rdp.c:1608 #15 0x000000000042163f in rdp_connect (server=server@entry=0x7fffffffda70 "dhcp-254-170", flags=flags@entry=59, domain=domain@entry=0x7fffffffdbd0 "", password=password@entry=0x7fffffffdaf0 "user1", command=command@entry=0x7fffffffdcd0 "", directory=directory@entry=0x7fffffffddd0 "", reconnect=0) at rdp.c:1647 #16 0x0000000000406f82 in main (argc=<optimized out>, argv=<optimized out>) at rdesktop.c:1006
(In reply to comment #6) > Some initial testing with Windows Server 2003 R2. It does not have a cert by > default. As testing, I first tried the Go Daddy code signing cert. This does > not show up in the TS configuration, since it's not a server auth cert. Then, I > tried eudemo.thinlinc.com. Imported > /home/astrand/customers/cendio/eudemo/foo.p12. Then, when I'm connecting with > rdesktop, I get: > > > [astrand@scilla rdesktop]$ ./rdesktop dhcp-254-170 -u user1 -p user1 > Autoselected keyboard map sv > WARNING: Remote desktop does not support colour depth 24; falling back to 16 > ERROR: SSL_read: 5 (Förbindelse borttagen av partnern) > ERROR: SSL_read: 5 (Lyckat) > ERROR: SSL_read: 5 (Lyckat) > ERROR: SSL_write: 5 (Brutet rör) > ERROR: SSL_write: 1 (Lyckat) > 139635676575592:error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write > retry:s3_pkt.c:826: > ERROR: SSL_write: 5 (Brutet rör) > ERROR: SSL_read: 5 (Lyckat) > ERROR: SSL_write: 1 (Lyckat) > > So something is fishy, at least with with 2003. This is fixed upstream in commit r1672 and is now vendor dropped and commited in r26082.
Tests on Windows Server 2003 R2 x86: Layer=RDP, Level=Low: Works but with warnings: WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. Is this expected? (#1) Layer=RDP, Level=Compatible: As above. Layer=RDP, Level=High: As above. Layer=RDP, Level=Fips: Does not work: WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. ERROR: recv: Förbindelse borttagen av partnern ERROR: send: Brutet rör Is this expected? (#2) Layer=Nego, Level=Low: WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. Same as #1. Layer=Nego, Level=Compatible: Login ok, but after logout: ERROR: SSL_read: 5 (Förbindelse borttagen av partnern) ERROR: SSL_write: 5 (Brutet rör) Is this expected? (#3) Layer=Nego, Level=High: As above. Layer=Nego, Level=Fips: As above. Layer=SSL, Level=Compatible: As above. Layer=SSL, Level=High: As above. Layer=SSL, Level=Fips: As above. Should any or all of the 3 problems above be solved now, or moved to later bugs?
http://support.microsoft.com/kb/811833 Beskriver FIPS med RDP, " - The RDP channel is encrypted by using the 3DES algorithm in Cipher Block Chaining (CBC) mode with a 168-bit key length. - The SHA-1 algorithm is used to create message digests. - Clients must use the RDP 5.2 client program or a later version to connect. "
(In reply to comment #9) > WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server > (error 0x2), > WARNING: retrying without negotiation using plain RDP protocol. > > Is this expected? (#1) Moved to bug 4451. > Layer=RDP, Level=Fips: > Does not work: > WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server > (error 0x2), > WARNING: retrying without negotiation using plain RDP protocol. > ERROR: recv: Förbindelse borttagen av partnern > ERROR: send: Brutet rör > > Is this expected? (#2) As comment #10 points out, this is expected, since we do not support that encryption. Not a regression. > Layer=Nego, Level=Compatible: > Login ok, but after logout: > ERROR: SSL_read: 5 (Förbindelse borttagen av partnern) > ERROR: SSL_write: 5 (Brutet rör) > > Is this expected? (#3) Moved to bug 4452. Testing of 2008 R2 and XP remains.
Tests on Windows Server 2008 R2 x64, default automatic cert: Layer=RDP, Level=Low: Ok, warning about fallback. Layer=RDP, Level=Compatible: Ok, warning about fallback. Layer=RDP, Level=High: Ok, warning about fallback. Layer=RDP, Level=Fips: Fails as expected. Layer=Nego, Level=Low: Not allowed! Layer=Nego, Level=Compatible: Ok. Layer=Nego, Level=High: Ok. Layer=Nego, Level=Fips: Works, no warnings. Layer=SSL, Level=Compatible: Works, no warnings. Layer=SSL, Level=High: Works, no warnings. Layer=SSL, Level=Fips: Works, no warnings. Also tried the eudemo cert, also works. Also tried enabling NLA enforcing. Then I got: WARNING: RDP protocol negotiation failed with reason: hybrid authentication (CredSSP) required by server (error 0x5), WARNING: retrying without negotiation using plain RDP protocol. ERROR: recv: Förbindelse borttagen av partnern Fair enough. Closing.
I think we got a regression while implementing this bug: * Start client * Log in to WTS with tl-run-windesk * Resize client window Expected behavior: * Windows desktop resizes to the new client window size. This is the behavior of ThinLinc 3.4.0 (as on tl.cendio.se) Actual behavior: * rdesktop doesn't change size, the rdesktop window disappears and the following error messages are displayed in the terminal. $ tl-run-windesk share name usbdisk0 truncated to usbdisk WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. WARNING: Remote desktop does not support colour depth 24; falling back to 16 (28x) /dev/dsp: Connection refused WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. NOT IMPLEMENTED: PDU 13 ERROR: recv: Connection reset by peer Connection error: The connection to the Remote Desktop failed with error 76: share name usbdisk0 truncated to usbdisk WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. WARNING: Remote desktop does not support colour depth 24; falling back to 16 (28x) /dev/dsp: Connection refused WARNING: RDP protocol negotiation failed with reason: SSL not allowed by server (error 0x2), WARNING: retrying without negotiation using plain RDP protocol. NOT IMPLEMENTED: PDU 13 ERROR: recv: Connection reset by peer
(In reply to comment #13) this is fixed upstream in commit 1673 and vendordrop commited in 26147.
(In reply to comment #12) > Tests on Windows Server 2008 R2 x64, default automatic cert: I've repeated allt these tests, due to the license fix. Works as before. Wrt resizes, it has some problems, but opening up bug 4473 for this.
