Bug 4453 - Consider adding RDP server (and/or client) authentication via TLS, ie check certs
Summary: Consider adding RDP server (and/or client) authentication via TLS, ie check c...
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: | rdesktop (deprecated) (show other bugs)
Target Milestone: 4.10.0
Assignee: Pierre Ossman
Depends on:
Blocks: 2036
  Show dependency treegraph
Reported: 2012-10-30 14:37 CET by Peter Åstrand
Modified: 2019-02-07 15:51 CET (History)
0 users

See Also:
Acceptance Criteria:


Description Peter Åstrand cendio 2012-10-30 14:37:51 CET
Since bug 4347, rdesktop supports TLS. However, we have only implemented the encryption part of it. As MS says at http://technet.microsoft.com/en-us/library/cc782610.aspx:

"TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications."
Comment 1 Pierre Ossman cendio 2013-06-11 17:25:53 CEST
For reference, Microsofts client complains about bad certificates by default. Tested on Windows 8 (both an independent machine, and one joined to the same domain as the WTS).
Comment 2 Pierre Ossman cendio 2013-06-11 19:36:03 CEST
Hah. Full marks to Microsoft. The certificate check is done _after_ you send the password to the server. At which point you're already screwed.

Noticed this on the Windows 8 machine where it told me I gave the wrong password and I had to reenter it. Only after I entered the correct one would it present me with the "bad cert" dialog.

Hopefully the protocol isn't this broken and we can do better.
Comment 3 Pierre Ossman cendio 2013-06-14 14:30:54 CEST
Another data point from mstsc: If it authenticates the server using Kerberos, then it won't present the user with a dialog that the certificate is bad.
Comment 4 Pierre Ossman cendio 2019-02-07 15:43:47 CET
rdesktop (and associated tools) is being removed from the ThinLinc product.

Note You need to log in before you can comment on or make changes to this bug.