On Thu, Jan 9, 2025 at 8:26 AM Felix Garcia Lainez <fgarcialai...@gmail.com> wrote:
> Hi, > > The purpose of this post is to find the root cause or explanation of an > issue that I am experiencing with guacd 1.5.5 and OpenSSL 3.3 connecting to > legacy Windows devices (e.g. Windows 7). > > > https://github.com/apache/guacamole-server/commit/f906b14f9f7102dfaaf11bbd7c694b1efeacafc2 > > As commented in the link above, I have observed that the change in this > commit also affects to guacd compatibility with legacy Windows devices > (e.g. Windows 7). > > Basically, what I have found is that building guacd 1.5.5 with OpenSSL 3.3 > (default for Alpine 3.20) raises the following error on trying to connect > to Windows 7 devices: > > RDP server closed/refused connection: SSL/TLS connection failed > (untrusted/self-signed certificate?) > > On the other hand, on building guacd 1.5.5 with openssl1.1-compat-dev the > problem goes away. > > Note that this issue with OpenSSL 3.3 is reproduced only in legacy > devices, as everything seems to work properly with newer Windows versions. > > At first, I thought that the issue may be related with the default (only) > support of TLSv1.0 in Windows 7 and the lack of default support of this > version TLSv1.0 in OpenSSL 3.3, but after either trying to enable support > for TLSv1.0 in OpenSSL 3.3 or trying to enable TLSv1.2 in the Windows 7 > machine, the issue is still there. > > Any clues about what is the logical explanation / reason for this > behaviour? > > You might try to look at the output from openssl s_client (either openssl 1 or openssl 3) and see what it's telling you about the versions of TLS that are supported: openssl s_client -connect server.example.com:3389 You'll see something like this: --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 912500005B069ADC4B1A4B72794D5E7E3E3BF4B284B65F25CA03109E618AF75C Session-ID-ctx: Master-Key: 86D64A00795DD30D34A3AA853ECDDF3FA99C5D52D37A84A10E692879B35502DA37DFBB53EE307CAA1CE8C1EF1857CF01 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1737143299 Timeout : 7200 (sec) Verify return code: 18 (self-signed certificate) Extended master secret: yes --- You can use various TLS flags (-tls1_1 -tls1_2 -tls1_3) to try levels of connection to see what the servers support. -Nick
