necouchman commented on code in PR #390:
URL: https://github.com/apache/guacamole-server/pull/390#discussion_r1325865935
##########
src/protocols/rdp/settings.c:
##########
@@ -1604,6 +1612,17 @@ void guac_rdp_push_settings(guac_client* client,
rdp_settings->OrderSupport[NEG_FAST_INDEX_INDEX] =
!guac_settings->disable_glyph_caching;
rdp_settings->OrderSupport[NEG_FAST_GLYPH_INDEX] =
!guac_settings->disable_glyph_caching;
+ // FreeRDP allows for TLS Version control starting 2.8.0
+#if (defined FREERDP_VERSION_MAJOR && FREERDP_VERSION_MAJOR >=2 && defined
FREERDP_VERSION_MINOR && FREERDP_VERSION_MINOR >=8 && defined
FREERDP_VERSION_REVISION && FREERDP_VERSION_REVISION >=0)
+ // Faulty servers with partial support for TLSv1.3, like windows server
2019,
+ // trick FreeRDP into negotiating TLSv1.3 and then send back a RST
response after initial "Client Hello" during handshake.
+ // Setting the min and max versions of TLS version allows us to enforce
the TLS version the client(FreeRDP) chooses.
+ // Note that older versions of FreeRDP that relied on older versions of
Openssl that didn't have TLS1.3 don't run into
+ // this issue as the max TLS version supported by those clients is TLS1.2.
+ rdp_settings->TLSMinVersion = 0;
+ rdp_settings->TLSMaxVersion = TLS1_2_VERSION;
Review Comment:
Yes, that's exactly what we're already talking about. The conversation and
screenshot above deals with making these TLS versions configurable on a
per-connection basis - if they are added as connection parameters they would be
passed along with the rest of the options (hostname, port, username, password,
etc.) within the Guacamole Protocol as part of establishing the connection.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
