Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
Control: reassign -1 src:freerdp2 Control: found -1 2.0.0~git20180411.1.7a7b1802+dfsg1-2 Control: fixed -1 2.0.0~git20180411.1.7a7b1802+dfsg1-3 Control: close -1 On Fr 09 Nov 2018 08:54:26 CET, Matsievskiy S.V. wrote: Yes, it does work after the update Ok, closing this bug then. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpNVdYVqvcs1.pgp Description: Digitale PGP-Signatur
Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
Yes, it does work after the update On 09/11/2018 00:42, Mike Gabriel wrote: HI, On Mi 07 Nov 2018 09:02:11 CET, Matsievskiy S.V. wrote: Package: remmina-plugin-rdp Version: 1.2.32+dfsg-2 Severity: important Dear Maintainer, remmina-plugin-rdp seems to be affected by issue, described in bug #912206 for freerdp2-x11. Original report: Package: freerdp2-x11 Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 Severity: normal Dear Maintainer, After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer able to connect to a computer running Remote Desktop Services on Windows Server 2008 R2 (with default settings as far as I am aware) using TLS security. Connection fails with the following messages: [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_TLS_CONNECT_FAILED [0x00020008] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure Downgrading libssl1.1 to 1.1.0h-4 fixes the issue. To further diagnose the cause, I noticed that the server sends TCP RST in response to the SSL Client Hello message. After some trial and error, I determined that this occurs whenever rsa_pkcs1_sha1 in not the offered signature algorithms, which is the case for SECLEVEL=2 which is the default in the libssl1.1 Debian package since version 1.1.1~~pre6-1. To confirm, this fails: openssl s_client -connect 192.168.0.2:3389 while this works: openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389 For further confirmation that rsa_pkcs1_sha1 is responsible, this works: openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs rsa_pkcs1_sha1 -connect 192.168.0.2:3389 while this fails: openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 -connect 192.168.0.2:3389 Applying this discovery, it is possible to make xfreerdp work using: xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1 However, since most users are unlikely to figure this out on their own, I'd suggest calling SSL_CTX_set_security_level to set the security level to 1 or improving the error message to suggest this workaround. Thanks, Kevin This issue is probably fixed my today's freerdp2 upload to unstable (2.0.0~git20180411.1.7a7b1802+dfsg1-3). Please check and report back. Thanks! Mike (co-maintainer+uploader of freerdp2 in Debian)
Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
HI, On Mi 07 Nov 2018 09:02:11 CET, Matsievskiy S.V. wrote: Package: remmina-plugin-rdp Version: 1.2.32+dfsg-2 Severity: important Dear Maintainer, remmina-plugin-rdp seems to be affected by issue, described in bug #912206 for freerdp2-x11. Original report: Package: freerdp2-x11 Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 Severity: normal Dear Maintainer, After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer able to connect to a computer running Remote Desktop Services on Windows Server 2008 R2 (with default settings as far as I am aware) using TLS security. Connection fails with the following messages: [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_TLS_CONNECT_FAILED [0x00020008] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure Downgrading libssl1.1 to 1.1.0h-4 fixes the issue. To further diagnose the cause, I noticed that the server sends TCP RST in response to the SSL Client Hello message. After some trial and error, I determined that this occurs whenever rsa_pkcs1_sha1 in not the offered signature algorithms, which is the case for SECLEVEL=2 which is the default in the libssl1.1 Debian package since version 1.1.1~~pre6-1. To confirm, this fails: openssl s_client -connect 192.168.0.2:3389 while this works: openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389 For further confirmation that rsa_pkcs1_sha1 is responsible, this works: openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs rsa_pkcs1_sha1 -connect 192.168.0.2:3389 while this fails: openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 -connect 192.168.0.2:3389 Applying this discovery, it is possible to make xfreerdp work using: xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1 However, since most users are unlikely to figure this out on their own, I'd suggest calling SSL_CTX_set_security_level to set the security level to 1 or improving the error message to suggest this workaround. Thanks, Kevin This issue is probably fixed my today's freerdp2 upload to unstable (2.0.0~git20180411.1.7a7b1802+dfsg1-3). Please check and report back. Thanks! Mike (co-maintainer+uploader of freerdp2 in Debian) -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp6BPWzLixF1.pgp Description: Digitale PGP-Signatur
Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
Package: remmina-plugin-rdp Version: 1.2.32+dfsg-2 Severity: important Dear Maintainer, remmina-plugin-rdp seems to be affected by issue, described in bug #912206 for freerdp2-x11. Original report: > Package: freerdp2-x11 > Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 > Severity: normal > > Dear Maintainer, > > After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer > able to connect to a computer running Remote Desktop Services on Windows > Server 2008 R2 (with default settings as far as I am aware) using TLS > security. Connection fails with the following messages: > > [ERROR][com.freerdp.core] - freerdp_set_last_error > ERRCONNECT_TLS_CONNECT_FAILED [0x00020008] > [ERROR][com.freerdp.core.connection] - Error: protocol security > negotiation or connection failure > > Downgrading libssl1.1 to 1.1.0h-4 fixes the issue. To further diagnose > the cause, I noticed that the server sends TCP RST in response to the > SSL Client Hello message. After some trial and error, I determined that > this occurs whenever rsa_pkcs1_sha1 in not the offered signature > algorithms, which is the case for SECLEVEL=2 which is the default in the > libssl1.1 Debian package since version 1.1.1~~pre6-1. To confirm, this > fails: > > openssl s_client -connect 192.168.0.2:3389 > > while this works: > > openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389 > > For further confirmation that rsa_pkcs1_sha1 is responsible, this works: > > openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs > rsa_pkcs1_sha1 -connect 192.168.0.2:3389 > > while this fails: > > openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 > -connect > 192.168.0.2:3389 > > Applying this discovery, it is possible to make xfreerdp work using: > > xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1 > > However, since most users are unlikely to figure this out on their own, > I'd suggest calling SSL_CTX_set_security_level to set the security level > to 1 or improving the error message to suggest this workaround. > > Thanks, > Kevin -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.18.9-custom (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages remmina-plugin-rdp depends on: ii libatk1.0-0 2.30.0-1 ii libc6 2.27-8 ii libcairo2 1.16.0-1 ii libfreerdp-client2-2 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 ii libfreerdp2-2 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 ii libgdk-pixbuf2.0-02.38.0+dfsg-6 ii libglib2.0-0 2.58.1-2 ii libgtk-3-03.24.1-2 ii libice6 2:1.0.9-2 ii libpango-1.0-01.42.4-3 ii libsm62:1.2.2-1+b3 ii libwinpr2-2 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 ii libx11-6 2:1.6.7-1 ii libxext6 2:1.3.3-1+b2 ii remmina 1.2.32+dfsg-2 remmina-plugin-rdp recommends no packages. remmina-plugin-rdp suggests no packages. -- no debconf information