Hi,
currently only the hashes in .config/freerdp/known_hosts and
.config/freerdp/known_hosts2 are checked.
Hashes in known_hosts2 consist of a '<host> <port> <fingerprint>
[subject base64] [issuer base64]' syntax.
(the implementation resides in libfreerdp/crypto/certificate.c)
NOTE: known_hosts is deprecated and only kept for compatibility with
older versions of freerdp.
best
Armin
On 06/03/2016 02:16 PM, Ondrej Holy wrote:
> Hello,
>
> may a local certificate store be used to avoid the certificate prompt?
>
> I exported remote desktop certificate from Microsoft Windows Server 2008:
> mmc -> file -> add snap-in -> certificates -> add -> computer account ->
> finish -> certificates -> remote desktop -> certificates -> SERVER -> open
> -> details -> copy to file -> CA.cer
>
> I converted the certificate to pem and created hash file for it:
> openssl x509 -inform DER -in CA.cer -out CA.pem
> ln -s CA.pem $(openssl x509 -hash -noout -in CA.pem).0
> ~/.config/freerdp/certs
>
> Then I tried to connect and still see the certificate prompt:
> $ xfreerdp /u:USER /p:PASS /v:SERVER
> [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Certificate
> details:
> [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Subject: CN
> = SERVER
> [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Issuer: CN
> = SERVER
> [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Thumbprint:
> c9:1b:cf:6c:af:23:67:51:15:0d:27:ab:6b:62:9f:fe:ea:0d:5a:ee
> [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - The above X.509
> certificate could not be verified, possibly because you do not have the CA
> certificate in your certificate store, or the certificate has expired.
> Please look at the documentation on how to create local certificate store
> for a private CA.
> [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Do you trust
> the above certificate? (Y/N)
>
> But the certificate is seen by OpenSSL correctly as per strace:
> [pid 5220] stat("/etc/pki/tls/certs/31605bb4.0", 0x7f5b546370b0) = -1
> ENOENT (No such file or directory)
> [pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.0",
> {st_mode=S_IFREG|0644, st_size=1058, ...}) = 0
> [pid 5220] open("/home/oholy/.config/freerdp/certs/31605bb4.0", O_RDONLY)
> = 14
> [pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.1",
> 0x7f5b546370b0) = -1 ENOENT (No such file or directory)
>
> Subject == Issuer so I thought that following should work, but it isn't:
> $ openssl verify -CAfile CA.pem CA.pem
> CA.pem: CN = SERVER
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> So I suppose this is not a bug in FreeRDP, but I have to generate the cert
> another way, or import the root cert into the system somehow probably... am
> I right? Can you help me with it? Is there any documentation regarding the
> local certificate store?
>
> Thanks in advance!
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
