Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2

To: "Matsievskiy S.V." <seregaxvm.main@gmail.com>, 913122@bugs.debian.org
Subject: Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Thu, 08 Nov 2018 21:42:50 +0000
Message-id: <[🔎] 20181108214250.Horde.KaX9rfwpJh0Oxr_Hc27zrFi@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 913122@bugs.debian.org
In-reply-to: <[🔎] 154157773122.7856.9367422025711617546.reportbug@Main-PC>
References: <[🔎] 154157773122.7856.9367422025711617546.reportbug@Main-PC>

HI,

On  Mi 07 Nov 2018 09:02:11 CET, Matsievskiy S.V. wrote:

Package: remmina-plugin-rdp
Version: 1.2.32+dfsg-2
Severity: important

Dear Maintainer,

remmina-plugin-rdp seems to be affected by issue, described in bug#912206 for freerdp2-x11.

Original report:

Package: freerdp2-x11
Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1
Severity: normal

Dear Maintainer,

After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer
able to connect to a computer running Remote Desktop Services on Windows
Server 2008 R2 (with default settings as far as I am aware) using TLS
security.  Connection fails with the following messages:

    [ERROR][com.freerdp.core] - freerdp_set_last_error
ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
    [ERROR][com.freerdp.core.connection] - Error: protocol security
negotiation or connection failure

Downgrading libssl1.1 to 1.1.0h-4 fixes the issue.  To further diagnose
the cause, I noticed that the server sends TCP RST in response to the
SSL Client Hello message.  After some trial and error, I determined that
this occurs whenever rsa_pkcs1_sha1 in not the offered signature
algorithms, which is the case for SECLEVEL=2 which is the default in the
libssl1.1 Debian package since version 1.1.1~~pre6-1.  To confirm, this
fails:

    openssl s_client -connect 192.168.0.2:3389

while this works:

    openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389

For further confirmation that rsa_pkcs1_sha1 is responsible, this works:

    openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs
rsa_pkcs1_sha1 -connect 192.168.0.2:3389

while this fails:

    openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs

RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1-connect

192.168.0.2:3389

Applying this discovery, it is possible to make xfreerdp work using:

    xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1

However, since most users are unlikely to figure this out on their own,
I'd suggest calling SSL_CTX_set_security_level to set the security level
to 1 or improving the error message to suggest this workaround.

Thanks,
Kevin

This issue is probably fixed my today's freerdp2 upload to unstable(2.0.0~git20180411.1.7a7b1802+dfsg1-3).


Please check and report back. Thanks!

Mike (co-maintainer+uploader of freerdp2 in Debian)
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpfhVpnG1npt.pgp
Description: Digitale PGP-Signatur

Reply to:

References:
- Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
  - From: "Matsievskiy S.V." <seregaxvm.main@gmail.com>

Prev by Date: freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.changes ACCEPTED into unstable
Next by Date: Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
Previous by thread: Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
Next by thread: Bug#913122: remmina-plugin-rdp: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-2
Index(es):
- Date
- Thread