Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2

Matsievskiy S.V.
Package: remmina-plugin-rdp
Version: 1.2.32+dfsg-2
Severity: important

Dear Maintainer,

remmina-plugin-rdp seems to be affected by issue, described in bug #912206 for freerdp2-x11.
Original report:

> Package: freerdp2-x11
> Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
> Severity: normal
>
> Dear Maintainer,
>
> After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer
> able to connect to a computer running Remote Desktop Services on Windows
> Server 2008 R2 (with default settings as far as I am aware) using TLS
> security.  Connection fails with the following messages:
>
>     [ERROR][com.freerdp.core] - freerdp_set_last_error
> ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
>     [ERROR][com.freerdp.core.connection] - Error: protocol security
> negotiation or connection failure
>
> Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
> the cause, I noticed that the server sends TCP RST in response to the
> SSL Client Hello message.  After some trial and error, I determined that
> this occurs whenever rsa_pkcs1_sha1 in not the offered signature
> algorithms, which is the case for SECLEVEL=2 which is the default in the
> libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this
> fails:
>
>     openssl s_client -connect 192.168.0.2:3389
>
> while this works:
>
>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389
>
> For further confirmation that rsa_pkcs1_sha1 is responsible, this works:
>
>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
> rsa_pkcs1_sha1 -connect 192.168.0.2:3389
>
> while this fails:
>
>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 -connect
> 192.168.0.2:3389
>
> Applying this discovery, it is possible to make xfreerdp work using:
>
>     xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1
>
> However, since most users are unlikely to figure this out on their own,
> I'd suggest calling SSL_CTX_set_security_level to set the security level
> to 1 or improving the error message to suggest this workaround.
>
> Thanks,
> Kevin


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.9-custom (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages remmina-plugin-rdp depends on:
ii  libatk1.0-0           2.30.0-1
ii  libc6                 2.27-8
ii  libcairo2             1.16.0-1
ii  libfreerdp-client2-2  2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libfreerdp2-2         2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libgdk-pixbuf2.0-0    2.38.0+dfsg-6
ii  libglib2.0-0          2.58.1-2
ii  libgtk-3-0            3.24.1-2
ii  libice6               2:1.0.9-2
ii  libpango-1.0-0        1.42.4-3
ii  libsm6                2:1.2.2-1+b3
ii  libwinpr2-2           2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
ii  libx11-6              2:1.6.7-1
ii  libxext6              2:1.3.3-1+b2
ii  remmina               1.2.32+dfsg-2

remmina-plugin-rdp recommends no packages.

remmina-plugin-rdp suggests no packages.

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2

Mike Gabriel-4
HI,

On  Mi 07 Nov 2018 09:02:11 CET, Matsievskiy S.V. wrote:

> Package: remmina-plugin-rdp
> Version: 1.2.32+dfsg-2
> Severity: important
>
> Dear Maintainer,
>
> remmina-plugin-rdp seems to be affected by issue, described in bug  
> #912206 for freerdp2-x11.
> Original report:
>
>> Package: freerdp2-x11
>> Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer
>> able to connect to a computer running Remote Desktop Services on Windows
>> Server 2008 R2 (with default settings as far as I am aware) using TLS
>> security.  Connection fails with the following messages:
>>
>>     [ERROR][com.freerdp.core] - freerdp_set_last_error
>> ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
>>     [ERROR][com.freerdp.core.connection] - Error: protocol security
>> negotiation or connection failure
>>
>> Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
>> the cause, I noticed that the server sends TCP RST in response to the
>> SSL Client Hello message.  After some trial and error, I determined that
>> this occurs whenever rsa_pkcs1_sha1 in not the offered signature
>> algorithms, which is the case for SECLEVEL=2 which is the default in the
>> libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this
>> fails:
>>
>>     openssl s_client -connect 192.168.0.2:3389
>>
>> while this works:
>>
>>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389
>>
>> For further confirmation that rsa_pkcs1_sha1 is responsible, this works:
>>
>>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
>> rsa_pkcs1_sha1 -connect 192.168.0.2:3389
>>
>> while this fails:
>>
>>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
>> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1  
>> -connect
>> 192.168.0.2:3389
>>
>> Applying this discovery, it is possible to make xfreerdp work using:
>>
>>     xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1
>>
>> However, since most users are unlikely to figure this out on their own,
>> I'd suggest calling SSL_CTX_set_security_level to set the security level
>> to 1 or improving the error message to suggest this workaround.
>>
>> Thanks,
>> Kevin
>
This issue is probably fixed my today's freerdp2 upload to unstable  
(2.0.0~git20180411.1.7a7b1802+dfsg1-3).

Please check and report back. Thanks!

Mike (co-maintainer+uploader of freerdp2 in Debian)
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2

Matsievskiy S.V.
Yes, it does work after the update

On 09/11/2018 00:42, Mike Gabriel wrote:

> HI,
>
> On  Mi 07 Nov 2018 09:02:11 CET, Matsievskiy S.V. wrote:
>
>> Package: remmina-plugin-rdp
>> Version: 1.2.32+dfsg-2
>> Severity: important
>>
>> Dear Maintainer,
>>
>> remmina-plugin-rdp seems to be affected by issue, described in bug
>> #912206 for freerdp2-x11.
>> Original report:
>>
>>> Package: freerdp2-x11
>>> Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
>>> Severity: normal
>>>
>>> Dear Maintainer,
>>>
>>> After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no
>>> longer
>>> able to connect to a computer running Remote Desktop Services on
>>> Windows
>>> Server 2008 R2 (with default settings as far as I am aware) using TLS
>>> security.  Connection fails with the following messages:
>>>
>>>     [ERROR][com.freerdp.core] - freerdp_set_last_error
>>> ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
>>>     [ERROR][com.freerdp.core.connection] - Error: protocol security
>>> negotiation or connection failure
>>>
>>> Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
>>> the cause, I noticed that the server sends TCP RST in response to the
>>> SSL Client Hello message.  After some trial and error, I determined
>>> that
>>> this occurs whenever rsa_pkcs1_sha1 in not the offered signature
>>> algorithms, which is the case for SECLEVEL=2 which is the default in
>>> the
>>> libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this
>>> fails:
>>>
>>>     openssl s_client -connect 192.168.0.2:3389
>>>
>>> while this works:
>>>
>>>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect
>>> 192.168.0.2:3389
>>>
>>> For further confirmation that rsa_pkcs1_sha1 is responsible, this
>>> works:
>>>
>>>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
>>> rsa_pkcs1_sha1 -connect 192.168.0.2:3389
>>>
>>> while this fails:
>>>
>>>     openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
>>> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1
>>> -connect
>>> 192.168.0.2:3389
>>>
>>> Applying this discovery, it is possible to make xfreerdp work using:
>>>
>>>     xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1
>>>
>>> However, since most users are unlikely to figure this out on their own,
>>> I'd suggest calling SSL_CTX_set_security_level to set the security
>>> level
>>> to 1 or improving the error message to suggest this workaround.
>>>
>>> Thanks,
>>> Kevin
>>
>
> This issue is probably fixed my today's freerdp2 upload to unstable
> (2.0.0~git20180411.1.7a7b1802+dfsg1-3).
>
> Please check and report back. Thanks!
>
> Mike (co-maintainer+uploader of freerdp2 in Debian)

Reply | Threaded
Open this post in threaded view
|

Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2

Mike Gabriel-4
Control: reassign -1 src:freerdp2
Control: found -1 2.0.0~git20180411.1.7a7b1802+dfsg1-2
Control: fixed -1 2.0.0~git20180411.1.7a7b1802+dfsg1-3
Control: close -1

On  Fr 09 Nov 2018 08:54:26 CET, Matsievskiy S.V. wrote:

> Yes, it does work after the update
>

Ok, closing this bug then.

Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment