On Fri, Nov 07, 2025 at 10:41:51PM -0000, Stuart Henderson wrote: > On 2025-11-07, [email protected] <[email protected]> wrote: > > Dear list, > > > > > > I have a problem connecting my OpenBSD 7.8 computer to Windows 11 via > > the remote-desktop connection, using freerdp-2.11.7. If, on windows, > > the option "Require devices to use Network-level Authentication to connect" > > is selected, I fail to connect: > > > > ; xfreerdp /u:USER /p:PASSWORD /v:IP > > [17:45:57:115] [52128:15346440] [WARN][com.freerdp.crypto] - Certificate > > verification failure 'unable to get local issuer certificate (20)' at stack > > position 0 > > [17:45:57:116] [52128:15346440] [WARN][com.freerdp.crypto] - CN = > > DESKTOP-BLABLA > > [17:45:57:120] [52128:15346440] [ERROR][com.freerdp.core.transport] - > > BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert > > internal error > > [17:45:57:120] [52128:15346440] [ERROR][com.freerdp.core] - > > transport_read_layer:freerdp_set_last_error_ex > > ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] > > [17:45:57:258] [52128:15346440] [ERROR][com.freerdp.core.transport] - > > BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert > > internal error > > [17:45:57:258] [52128:15346440] [ERROR][com.freerdp.core] - > > transport_read_layer:freerdp_set_last_error_ex > > ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] > > [17:45:57:258] [52128:15346440] [ERROR][com.freerdp.core] - > > freerdp_post_connect failed > > > > If I deselect that option and add a switch about /sec:tls like > > > > ; xfreerdp /u:USER /p:PASSWORD /sec:tls /v:IP > > > > I succeed. > > > > I do not know how dangerous it is to proceed with no NLA, probably it > > is better to have it active (??). So I want to ask if somebody knows what > > can be wrong or what can be done to mitigate the issue. > > > > Thank you for your comments. > > > > > > Best regards, > > Ruda > > > > > > > Apparently building freerdp against openssl may help. > https://marc.info/?l=openbsd-misc&m=172244062927222&w=2 > > We probably can't do that in ports (there will be problems if the > library is used by programs linked against libressl).
This sounds rather similar to an issue gerhard once posted a workaround for (if the diff doesn't apply, it should be easy to do it by hand): https://marc.info/?l=openbsd-tech&m=167999870115456&w=2 The diff isn't right and I don't think we can fix this without actually implementing PSK.
