Control: severity -1 important
On 7/15/26 11:39, Arnaud Rebillout wrote:
On Thu, 9 Jul 2026 21:34:07 +0300 Michael Tokarev <[email protected]> wrote:
By default, xrdp installs /etc/xrdp/key.pem as a symlink to
/etc/ssl/private/ssl-cert-snakeoil.key. But this file is
unreadable by the user xrdp running as (xrdp:xrdp). So
xrdp can't read its tls key, and fails.
It fails not just with freerdp testsuite. It fails *all* the
time, for any tls connection, by default.
I dunno how this prob should be solved properly. But currently,
xrdp is unusable with default settings.
I think xrdp *is* usable with default settings, because TLS isn't
enabled by default.
I don't use xrdp myself (used it some 15 years ago, but not anymore).
So my wording was not accurate, - by default xrdp is not usable in TLS
mode. There are some initial provisions to make it work - like pointing
to the snakeoil certs in the default config file, - but it doesn't work.
To complicate things more, it's kinda difficult to find the actual errors,
and the failure as seen "from outside" is definitely not clear.
Meanwhile, I reverted the change on the freerdp side which explicitly
enabled TLS. So this bug report was actually due to the change in freerdp,
but the original issue is in xrdp. So I guess severity of this bug can
now be lowered at least to "important" level (doing this now).
Also see this patch in xrdp:
https://sources.debian.org/src/xrdp/0.10.6.1-2/debian/patches/document-certs.diff
I can reproduce it here, the patch just adds a comment to the config file:
```
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out
cert.pem -days 365
+; note this needs the user xrdp to be a member of the ssl-cert group,
do with e.g.
+;$ sudo adduser xrdp ssl-cert
certificate=
key_file=
```
So my understanding is that TLS connection doesn't work by default, it
needs manual configuration. But it's not new, the patch is from 2020, in
order to address https://bugs.debian.org/860890 that was opened in 2017.
Oh wow.
Like everyone, I don't know hot to solve it properly, I don't even use
xrdp myself...
Maybe we can add another system group, like ssl-snakeoil, and use it
just for this snakeoil cert? :) Indeed, making xrdp part of regular
ssl-cert group feels wrong.
Fun stuff..
Thanks,
/mjt