On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg <[email protected]> wrote:
> Hello all, > > I guess most of us are ignoring certificates with RDP. If you are like me > and looked at Microsofts documentation how to replace a self-signed > certificate, there is a clear trade off… and so far I am running Guacamole > on the same physical host then my virtual machines it interfaces to, but I > guess this is a rather atypical scenario. You may also argue, NLA/CredSSP > is used after TLS connection is established and mitigates the risk, but > from a privacy pov at least you disclose communication metadata (including > the PDU for Hyper-V connections) prior to that, and if you are located in > Europe like me, discussions like this trigger data protection impact > assessments… > > The good news is that FreeRDP now supports to supply known certificate > fingerprints starting with https://github.com/FreeRDP/FreeRDP/pull/5880.. > I am already leveraging that when my software interfaces to wfreerdp via > command line, but with Guacamole I cannot. I definitely would appreciate > if that could be added to Guacamole as well, probably as part of the > connection properties. > > Thanks & Best Regards, Joachim > Guacamole kind of already supports this - by default, the FreeRDP library tries to create a directory within the current user's home directory, and when Mike was implementing FreeRDP 2 support we ran into the fact that FreeRDP doesn't really take no for an answer, anymore. So, you should be able to add certificates to this store that FreeRDP auto-creates and un-tick that Ignore Certificates box. -Nick
