On Thu, 9 Jul 2026 21:34:07 +0300 Michael Tokarev <[email protected]> wrote: > By default, xrdp installs /etc/xrdp/key.pem as a symlink to > /etc/ssl/private/ssl-cert-snakeoil.key. But this file is > unreadable by the user xrdp running as (xrdp:xrdp). So > xrdp can't read its tls key, and fails. > > It fails not just with freerdp testsuite. It fails *all* the > time, for any tls connection, by default. > > I dunno how this prob should be solved properly. But currently, > xrdp is unusable with default settings.
I think xrdp *is* usable with default settings, because TLS isn't enabled by default. Also see this patch in xrdp: https://sources.debian.org/src/xrdp/0.10.6.1-2/debian/patches/document-certs.diff I can reproduce it here, the patch just adds a comment to the config file: ``` ; X.509 certificate and private key ; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 +; note this needs the user xrdp to be a member of the ssl-cert group, do with e.g. +;$ sudo adduser xrdp ssl-cert certificate= key_file= ``` So my understanding is that TLS connection doesn't work by default, it needs manual configuration. But it's not new, the patch is from 2020, in order to address https://bugs.debian.org/860890 that was opened in 2017. Like everyone, I don't know hot to solve it properly, I don't even use xrdp myself... Best, -- Arnaud Rebillout / OffSec / Kali Linux Developer

