[ https://issues.apache.org/jira/browse/GUACAMOLE-1598 ]
David S. Jones deleted comment on GUACAMOLE-1598:
-------------------------------------------
was (Author: jonesds):
We have run into a couple of issues with other applications on el9 due to the
removal of SHA1 from the defaults.
If the el9 system needs SHA1 more often than not (or for whatever reason you
feel safe with SHA1 turned on system wide), you can run:
update-crypto-policies --set DEFAULT:SHA1
If you have just 1 or 2 that need SHA1, you can do an override config for that
app
create a file like ssl_allow_sha1.conf using:
.include /etc/ssl/openssl.cnf
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = yes
and use the OPENSSL_CONF environmental
for the guacd I add this to the service file [Service}:
Environment=OPENSSL_CONF=\{path to your file}ssl_allow_sha1.conf
A switch for individual Guacamole connection would be a much better answer, but
at least there are some immediate workarounds
> Windows 7 TLS/NLA compatibility issue with openssl3
> ---------------------------------------------------
>
> Key: GUACAMOLE-1598
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1598
> Project: Guacamole
> Issue Type: Improvement
> Components: RDP
> Affects Versions: 1.4.0
> Reporter: Michael Saxl
> Priority: Major
>
> Openssl 3.0 raised the default tls security level parameters.
> This has the effect that Widows 7 / Windows 2008r2 do not work in tls/nla/ext
> security mode, only rdp security works, but this requires disabling nla on
> the remote machine.
> xfreerdp has a parameter named /tls-seclevel that if set to 0 solves this
> problem, but settings this to such a low value should only be done if the
> user really requests it.
> Remmina will get this parameter too.
>
> internally in the settings structure the attribute is named
> setting->TlsSecLevel
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
