[GitHub] [guacamole-server] necouchman commented on a diff in pull request #390: GUACAMOLE-1627: Enforce TLS1.2

Tue, 12 Sep 2023 15:06:37 -0700 


necouchman commented on code in PR #390:
URL: https://github.com/apache/guacamole-server/pull/390#discussion_r1323647221


##########
src/protocols/rdp/settings.c:
##########
@@ -1604,6 +1612,17 @@ void guac_rdp_push_settings(guac_client* client,
     rdp_settings->OrderSupport[NEG_FAST_INDEX_INDEX] = 
!guac_settings->disable_glyph_caching;
     rdp_settings->OrderSupport[NEG_FAST_GLYPH_INDEX] = 
!guac_settings->disable_glyph_caching;
 
+    // FreeRDP allows for TLS Version control starting 2.8.0
+#if (defined FREERDP_VERSION_MAJOR && FREERDP_VERSION_MAJOR >=2 && defined 
FREERDP_VERSION_MINOR && FREERDP_VERSION_MINOR >=8 && defined 
FREERDP_VERSION_REVISION && FREERDP_VERSION_REVISION >=0)
+    // Faulty servers with partial support for TLSv1.3, like windows server 
2019, 
+    // trick FreeRDP into negotiating TLSv1.3 and then send back a RST 
response after initial "Client Hello" during handshake.
+    // Setting the min and max versions of TLS version allows us to enforce 
the TLS version the client(FreeRDP) chooses.
+    // Note that older versions of FreeRDP that relied on older versions of 
Openssl that didn't have TLS1.3 don't run into 
+    // this issue as the max TLS version supported by those clients is TLS1.2.
+    rdp_settings->TLSMinVersion = 0;
+    rdp_settings->TLSMaxVersion = TLS1_2_VERSION;

Review Comment:
   @jclc: Yes, I mentioned this in my original comment, above, and most of the 
conversation between @sivagudivadaz and me has been regarding the best place to 
put such an option or options.
   
   I suppose we can talk about whether it makes more sense to force a single 
specific version or provide options for minimum and maximum versions. I'm not 
opposed to a version range, per se, but I wonder how valuable it will be - if 
you have a connection to a single server, it may not be all that useful to have 
a range of options, as the server is usually going to consistently support the 
same level, and you ought to be able to just enforce that supported level.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to