Hi,
I'm trying to connect to an RDP server that is set up with both TLS and NLA.
The TLS certificate has been signed by a public CA - StartSSL to be specific.
When connecting to the RDP server from a clean Windows 7 install, there are
(1) absolutely no certificate prompts, (2) and NLA is used. Note that the RDP
server has been configured to remove unsafe protocols and ciphers like SSL 3.0,
RC4, and so on. A scan of the end-point with Digicert Certificate Inspector
indicates that only TLS 1.0 and TLS 1.1 is available, and ciphers are limited
to:
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
I can't seem to get this working in guacamole. I'm using the latest guacd and
guacamole docker images. In the web interface, I set security mode to NLA, and
entered the username and password. However it fails to connect.
docker logs guacd reports:
guacd[22]: INFO: Certificate validation failed
guacd[22]: ERROR: Error connecting to RDP server
guacd[22]: INFO: Connection did not succeed
connected to host.mypublicdomain.com:3389
SSL_write: Failure in SSL library (protocol error?)
Authentication failure, check credentials.
If credentials are valid, the NTLMSSP implementation may be to blame.
My first thought was that the guacd docker image doesn't have the StartSSL root
cert, but examining files in /etc/ssl/certs seems to indicate that is not the
case: I found the right StartCom certificate with identical RSA public key.
If I tick "Ignore server certificate" then the connection works, but obviously
that is not a real solution as it degrades the security.
Is this a bug in guacd? Or are there some (maybe undocumented) steps needed
to get certificate validation working?
Best regards,
James Johnston
