good question,
looks like it is missing an implementation...
On 7 June 2016 13:02:09 CEST, Ondrej Holy <oh...@redhat.com> wrote:
>Hi Armin,
>
>thanks for your response. So what is .config/freerdp/certs good for
>then?
>
>2016-06-07 10:46 GMT+02:00 Armin Novak <armin.no...@thincast.com>:
>
>> Hi,
>>
>> currently only the hashes in .config/freerdp/known_hosts and
>> .config/freerdp/known_hosts2 are checked.
>> Hashes in known_hosts2 consist of a '<host> <port> <fingerprint>
>> [subject base64] [issuer base64]' syntax.
>> (the implementation resides in libfreerdp/crypto/certificate.c)
>> NOTE: known_hosts is deprecated and only kept for compatibility with
>> older versions of freerdp.
>>
>> best
>> Armin
>>
>> On 06/03/2016 02:16 PM, Ondrej Holy wrote:
>> > Hello,
>> >
>> > may a local certificate store be used to avoid the certificate
>prompt?
>> >
>> > I exported remote desktop certificate from Microsoft Windows Server
>2008:
>> > mmc -> file -> add snap-in -> certificates -> add -> computer
>account ->
>> > finish -> certificates -> remote desktop -> certificates -> SERVER
>->
>> open
>> > -> details -> copy to file -> CA.cer
>> >
>> > I converted the certificate to pem and created hash file for it:
>> > openssl x509 -inform DER -in CA.cer -out CA.pem
>> > ln -s CA.pem $(openssl x509 -hash -noout -in CA.pem).0
>> > ~/.config/freerdp/certs
>> >
>> > Then I tried to connect and still see the certificate prompt:
>> > $ xfreerdp /u:USER /p:PASS /v:SERVER
>> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] -
>Certificate
>> > details:
>> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] -
>Subject:
>> CN
>> > = SERVER
>> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] -
>Issuer:
>> CN
>> > = SERVER
>> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] -
>> Thumbprint:
>> > c9:1b:cf:6c:af:23:67:51:15:0d:27:ab:6b:62:9f:fe:ea:0d:5a:ee
>> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - The
>above
>> X.509
>> > certificate could not be verified, possibly because you do not have
>the
>> CA
>> > certificate in your certificate store, or the certificate has
>expired.
>> > Please look at the documentation on how to create local certificate
>store
>> > for a private CA.
>> > [12:26:00:200] [5674:5675] [INFO][com.freerdp.client.x11] - Do you
>trust
>> > the above certificate? (Y/N)
>> >
>> > But the certificate is seen by OpenSSL correctly as per strace:
>> > [pid 5220] stat("/etc/pki/tls/certs/31605bb4.0", 0x7f5b546370b0) =
>-1
>> > ENOENT (No such file or directory)
>> > [pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.0",
>> > {st_mode=S_IFREG|0644, st_size=1058, ...}) = 0
>> > [pid 5220] open("/home/oholy/.config/freerdp/certs/31605bb4.0",
>> O_RDONLY)
>> > = 14
>> > [pid 5220] stat("/home/oholy/.config/freerdp/certs/31605bb4.1",
>> > 0x7f5b546370b0) = -1 ENOENT (No such file or directory)
>> >
>> > Subject == Issuer so I thought that following should work, but it
>isn't:
>> > $ openssl verify -CAfile CA.pem CA.pem
>> > CA.pem: CN = SERVER
>> > error 20 at 0 depth lookup:unable to get local issuer certificate
>> >
>> > So I suppose this is not a bug in FreeRDP, but I have to generate
>the
>> cert
>> > another way, or import the root cert into the system somehow
>probably...
>> am
>> > I right? Can you help me with it? Is there any documentation
>regarding
>> the
>> > local certificate store?
>> >
>> > Thanks in advance!
>>
>>
>>
>>
>------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> patterns at an interface-level. Reveals which users, apps, and
>protocols
>> are
>> consuming the most bandwidth. Provides multi-vendor support for
>NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning reports.
>https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>> _______________________________________________
>> FreeRDP-devel mailing list
>> FreeRDP-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/freerdp-devel
>>
>
>
>
>--
>Regards
>
>Ondrej
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
