Bug#912206: marked as done (freerdp2-x11: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-1)

Debian Bug Tracking System Thu, 08 Nov 2018 04:22:07 -0800

Your message dated Thu, 08 Nov 2018 12:19:05 +0000
with message-id <e1gkjh7-000fny...@fasolo.debian.org>
and subject line Bug#912206: fixed in freerdp2 
2.0.0~git20180411.1.7a7b1802+dfsg1-3
has caused the Debian Bug report #912206,
regarding freerdp2-x11: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
912206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: freerdp2-x11
Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
Severity: normal

Dear Maintainer,

After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer
able to connect to a computer running Remote Desktop Services on Windows
Server 2008 R2 (with default settings as far as I am aware) using TLS
security.  Connection fails with the following messages:

    [ERROR][com.freerdp.core] - freerdp_set_last_error 
ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
    [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation 
or connection failure

Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
the cause, I noticed that the server sends TCP RST in response to the
SSL Client Hello message.  After some trial and error, I determined that
this occurs whenever rsa_pkcs1_sha1 in not the offered signature
algorithms, which is the case for SECLEVEL=2 which is the default in the
libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this
fails:

    openssl s_client -connect 192.168.0.2:3389

while this works:

    openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389

For further confirmation that rsa_pkcs1_sha1 is responsible, this works:

    openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs rsa_pkcs1_sha1 
-connect 192.168.0.2:3389

while this fails:

    openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs 
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1
 -connect 192.168.0.2:3389

Applying this discovery, it is possible to make xfreerdp work using:

    xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1

However, since most users are unlikely to figure this out on their own,
I'd suggest calling SSL_CTX_set_security_level to set the security level
to 1 or improving the error message to suggest this workaround.

Thanks,
Kevin


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freerdp2-x11 depends on:
ii  libc6                 2.27-6
ii  libfreerdp-client2-2  2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libfreerdp2-2         2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libwinpr2-2           2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libx11-6              2:1.6.7-1
ii  libxcursor1           1:1.1.15-1
ii  libxext6              2:1.3.3-1+b2
ii  libxfixes3            1:5.0.3-1
ii  libxi6                2:1.7.9-1
ii  libxinerama1          2:1.1.4-1
ii  libxrandr2            2:1.5.1-1
ii  libxrender1           1:0.9.10-1
ii  libxv1                2:1.0.11-1

freerdp2-x11 recommends no packages.

freerdp2-x11 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: freerdp2
Source-Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-3

We believe that the bug you reported is fixed in the latest version of
freerdp2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated freerdp2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Nov 2018 12:08:43 +0100
Source: freerdp2
Binary: freerdp2-x11 libfreerdp2-2 libfreerdp-client2-2 libfreerdp-server2-2 
libwinpr2-2 libwinpr-tools2-2 libwinpr2-dev freerdp2-dev winpr-utils 
libfreerdp-shadow2-2 libfreerdp-shadow-subsystem2-2 freerdp2-shadow-x11 
libuwac0-0 libuwac0-dev freerdp2-wayland
Architecture: source
Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-rem...@lists.debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Description:
 freerdp2-dev - Free Remote Desktop Protocol library (development files)
 freerdp2-shadow-x11 - FreeRDP x11 shadowing server
 freerdp2-wayland - RDP client for Windows Terminal Services (wayland client)
 freerdp2-x11 - RDP client for Windows Terminal Services (X11 client)
 libfreerdp-client2-2 - Free Remote Desktop Protocol library (client library)
 libfreerdp-server2-2 - Free Remote Desktop Protocol library (server library)
 libfreerdp-shadow-subsystem2-2 - FreeRDP Remote Desktop Protocol shadow 
subsystem libraries
 libfreerdp-shadow2-2 - FreeRDP Remote Desktop Protocol shadow libraries
 libfreerdp2-2 - Free Remote Desktop Protocol library (core library)
 libuwac0-0 - Using wayland as a client library
 libuwac0-dev - Using wayland as a client (development files)
 libwinpr-tools2-2 - Windows Portable Runtime Tools library
 libwinpr2-2 - Windows Portable Runtime library
 libwinpr2-dev - Windows Portable Runtime library (development files)
 winpr-utils - Windows Portable Runtime library command line utilities
Closes: 912206
Changes:
 freerdp2 (2.0.0~git20180411.1.7a7b1802+dfsg1-3) unstable; urgency=medium
 .
   [ Bernhard Miklautz ]
   * debian/patches:
     + Add 0002_set-tls-seclevel.patch. Sets the default TLS security level to
       1. Back-ported from ustream (PR 4996). (Closes: #912206).
 .
   [ Mike Gabriel ]
   * debian/patches:
     + Add patch header to 0002_set-tls-seclevel.patch.
   * debian/*.symbols:
     + Add Build-Depends-Package: field.
   * debian/control:
     + Bump Standards-Version: to 4.2.1. No changes needed.
Checksums-Sha1:
 00553e2190e86b7c566d08576a45da3b0199d072 3695 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.dsc
 1227913d2ac651108eea2ddb154bfbc248a5e7f7 42032 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.debian.tar.xz
 14968fd364b9199c58a7e06f6fa6a73c6a25854f 13691 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.buildinfo
Checksums-Sha256:
 fd00a1ee73c96ca14a915d70a1398864225dad31335fb12db3aa529fb1280f00 3695 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.dsc
 f71410cd3cf97a9f8c17d91f3869a534380e6a05345d18e3bc899863dec5cd65 42032 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.debian.tar.xz
 9990a722270f4733bfbc96cbe8ef11a30285923d4bb44d0f6717633fd92b76ac 13691 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.buildinfo
Files:
 3130b1c52d9e08eca8407c74540b70d8 3695 x11 optional 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.dsc
 41533ee474cc33ab40cc02cf45407406 42032 x11 optional 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.debian.tar.xz
 157e7bba87509231457fc1a43a33d64a 13691 x11 optional 
freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlvkJPIVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgAQP/1L9sOv2tb1V0meec2jEkWKG8thN
7uPBeyhBC6FQ0gX6QCC8Cdrk37udDOxeJqFsROGyOkgtewiIklvzyfNvRxxmfqJi
7TH8oobGKBsk/7Iu0OepCORDgf2zRNTP9WYsE93gZ/7NkZvWj5bdvclh+8FBe+o5
BQ9szF5BiLJQIT+zS79hMYKfG5Weq4J31eJW+H/9lJEkuMt1isYWjA1Osm/+C2hf
BMEO92QqndX1NKDDRtpe1l2+dW2QGupN/ZozW8xcmCtd9ZbyqcSVtRFOCTUO/+mP
SOVQsYEbsgrUlgKK4WuLjr14GXTNjEa1hZHpxiS/Pe+QyPHI1ukjBugHsiTXB0ML
z+AIXEZqIxvAcaj0cim6U0sOU/XRIAvbiqFX6Wwx8uEVfUVDHjsAdHoyA8TV6q0e
JU04JAvktNiCo0qKMCKL/BJBsKV5BBaixuazp8IAHosBATDa4MFuEvFvnFF4PRS/
/GG7NZF+D6WYVd3JzidMfyMqjA2Sta8V1tdW0Gr9hkCpw8Ly+9fU4nEfl4YFB/DF
q8qmjo/YksZfCbKAEC+NJvcGBTpZkhJad11ziiXgnu0B95K4MPsSrmHsoiVMCJYe
ED2OLCQQHq1SIL5OvvLtUtmqtcWjTcu57HoxrfN/EdxACx337yc07Nc//IHY8dZV
4wGA8NFfFqkQ8E1B
=hS8O
-----END PGP SIGNATURE-----

--- End Message ---

Bug#912206: marked as done (freerdp2-x11: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-1)

Reply via email to