Hi Armin,
thanks for your response. So what is .config/freerdp/certs good for then?
2016-06-07 10:46 GMT+02:00 Armin Novak <armin.no...@thincast.com>:
> Hi,
>
> currently only the hashes in .config/freerdp/known_hosts and
> .config/freerdp/known_hosts2 are checked.
> Hashes in known_hosts2 consist of a '<host> <port> <fingerprint>
> [subject base64] [issuer base64]' syntax.
> (the implementation resides in libfreerdp/crypto/certificate.c)
> NOTE: known_hosts is deprecated and only kept for compatibility with
> older versions of freerdp.
>
> best
> Armin
>
> On 06/03/2016 02:16 PM, Ondrej Holy wrote:
> > Hello,
> >
> > may a local certificate store be used to avoid the certificate prompt?
> >
> > I exported remote desktop certificate from Microsoft Windows Server 2008:
> > mmc -> file -> add snap-in -> certificates -> add -> computer account ->
> > finish -> certificates -> remote desktop -> certificates -> SERVER ->
> open
> > -> details -> copy to file -> CA.cer
> >
> > I converted the certificate to pem and created hash file for it:
> > openssl x509 -inform DER -in CA.cer -out CA.pem
> > ln -s CA.pem $(openssl x509 -hash -noout -in CA.pem).0
> > ~/.config/freerdp/certs
> >
> > Then I tried to connect and still see the certificate prompt:
> > $ xfreerdp /u:USER /p:PASS /v:SERVER
> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Certificate
> > details:
> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Subject:
> CN
> > = SERVER
> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Issuer:
> CN
> > = SERVER
> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] -
> Thumbprint:
> > c9:1b:cf:6c:af:23:67:51:15:0d:27:ab:6b:62:9f:fe:ea:0d:5a:ee
> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - The above
> X.509
> > certificate could not be verified, possibly because you do not have the
> CA
> > certificate in your certificate store, or the certificate has expired.
> > Please look at the documentation on how to create local certificate store
> > for a private CA.
> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Do you trust
> > the above certificate? (Y/N)
> >
> > But the certificate is seen by OpenSSL correctly as per strace:
> > [pid 5220] stat("/etc/pki/tls/certs/31605bb4.0", 0x7f5b546370b0) = -1
> > ENOENT (No such file or directory)
> > [pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.0",
> > {st_mode=S_IFREG|0644, st_size=1058, ...}) = 0
> > [pid 5220] open("/home/oholy/.config/freerdp/certs/31605bb4.0",
> O_RDONLY)
> > = 14
> > [pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.1",
> > 0x7f5b546370b0) = -1 ENOENT (No such file or directory)
> >
> > Subject == Issuer so I thought that following should work, but it isn't:
> > $ openssl verify -CAfile CA.pem CA.pem
> > CA.pem: CN = SERVER
> > error 20 at 0 depth lookup:unable to get local issuer certificate
> >
> > So I suppose this is not a bug in FreeRDP, but I have to generate the
> cert
> > another way, or import the root cert into the system somehow probably...
> am
> > I right? Can you help me with it? Is there any documentation regarding
> the
> > local certificate store?
> >
> > Thanks in advance!
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> FreeRDP-devel mailing list
> FreeRDP-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freerdp-devel
>
--
Regards
Ondrej
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
