On Thu, 9 Jul 2026 21:34:07 +0300 Michael Tokarev <[email protected]> wrote:
> By default, xrdp installs /etc/xrdp/key.pem as a symlink to
> /etc/ssl/private/ssl-cert-snakeoil.key. But this file is
> unreadable by the user xrdp running as (xrdp:xrdp). So
> xrdp can't read its tls key, and fails.
>
> It fails not just with freerdp testsuite. It fails *all* the
> time, for any tls connection, by default.
>
> I dunno how this prob should be solved properly. But currently,
> xrdp is unusable with default settings.

I think xrdp *is* usable with default settings, because TLS isn't
enabled by default.

Also see this patch in xrdp:
https://sources.debian.org/src/xrdp/0.10.6.1-2/debian/patches/document-certs.diff

I can reproduce it here, the patch just adds a comment to the config file:

```
 ; X.509 certificate and private key
 ; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out
cert.pem -days 365
+; note this needs the user xrdp to be a member of the ssl-cert group,
do with e.g.
+;$ sudo adduser xrdp ssl-cert
 certificate=
 key_file=
```

So my understanding is that TLS connection doesn't work by default, it
needs manual configuration. But it's not new, the patch is from 2020, in
order to address https://bugs.debian.org/860890 that was opened in 2017.

Like everyone, I don't know hot to solve it properly, I don't even use
xrdp myself...

Best,

-- 
Arnaud Rebillout / OffSec / Kali Linux Developer

Reply via email to