jclc commented on code in PR #390:
URL: https://github.com/apache/guacamole-server/pull/390#discussion_r1323240144
##########
src/protocols/rdp/settings.c:
##########
@@ -1604,6 +1612,17 @@ void guac_rdp_push_settings(guac_client* client,
rdp_settings->OrderSupport[NEG_FAST_INDEX_INDEX] =
!guac_settings->disable_glyph_caching;
rdp_settings->OrderSupport[NEG_FAST_GLYPH_INDEX] =
!guac_settings->disable_glyph_caching;
+ // FreeRDP allows for TLS Version control starting 2.8.0
+#if (defined FREERDP_VERSION_MAJOR && FREERDP_VERSION_MAJOR >=2 && defined
FREERDP_VERSION_MINOR && FREERDP_VERSION_MINOR >=8 && defined
FREERDP_VERSION_REVISION && FREERDP_VERSION_REVISION >=0)
+ // Faulty servers with partial support for TLSv1.3, like windows server
2019,
+ // trick FreeRDP into negotiating TLSv1.3 and then send back a RST
response after initial "Client Hello" during handshake.
+ // Setting the min and max versions of TLS version allows us to enforce
the TLS version the client(FreeRDP) chooses.
+ // Note that older versions of FreeRDP that relied on older versions of
Openssl that didn't have TLS1.3 don't run into
+ // this issue as the max TLS version supported by those clients is TLS1.2.
+ rdp_settings->TLSMinVersion = 0;
+ rdp_settings->TLSMaxVersion = TLS1_2_VERSION;
Review Comment:
Rather than hard-coding this for 1.2 only, wouldn't it be better to add
configuration options for defining min and max versions? For example,
[Redemption](https://github.com/wallix/redemption) uses such configuration
options.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
