Bug#860890: marked as done (needs ssl-cert membership, does not report the error)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 12 Apr 2024 08:09:52 +0200
with message-id <434cbd010727c31c734b88a38973f066@phys.ethz.ch>
and subject line needs ssl-cert membership, does not report the error
has caused the Debian Bug report #860890,
regarding needs ssl-cert membership, does not report the error
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: needs ssl-cert membership, does not report the error
• From: Marc Haber <mh+debian-packages@zugschlus.de>
• Date: Fri, 21 Apr 2017 14:38:50 +0200
• Message-id: <149277833025.21096.10461967447978279523.reportbug@swivel.zugschlus.de>

Package: xrdp
Version: 0.9.1-7
Severity: normal

Hi,

I have recently tried to use xrdp with TLS. With delight, I saw that the
package already comes with the normal snake oil certs configured, so I
went ahead and set security_layer=tls in xrdrp.ini, only to find myself
unable to connect any more.

xrdp's log entries are inconclusive:
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42286
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Security layer: requested 3, selected 1
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42288
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Security layer: requested 1, selected 1
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42290
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Security layer: requested 0, selected 1
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener

After seeing that xrdp is not running as root, I addusered xrdp to
ssl-cert on a hunch, which solved the issue.

At the very least, it should be mentioned in README.Debian that to use
SSL one needs to add the xrdp user to ths ssl-cert group. Ideally, xrdp
would also complain in the logs when it is unable to open the ssl
private key file.

Please also think about documenting whether security_layer=tls will
force TLS to be used or whether a fallback to a lesser security layer
will occur. It would also be nice it the meaning of "Security layer:
requested 0, selected 1" was documented.

Greetings
Marc

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xrdp depends on:
ii  adduser              3.115
ii  init-system-helpers  1.47
ii  libc6                2.24-10
ii  libfuse2             2.9.7-1
ii  libjpeg62-turbo      1:1.5.1-2
ii  libopus0             1.2~alpha2-1
ii  libpam0g             1.1.8-3.5
ii  libssl1.1            1.1.0e-1
ii  libx11-6             2:1.6.4-3
ii  libxfixes3           1:5.0.3-1
ii  libxrandr2           2:1.5.1-1
ii  lsb-base             9.20161125
ii  ssl-cert             1.0.38

Versions of packages xrdp recommends:
ii  fuse      2.9.7-1
ii  xorgxrdp  0.9.1-7

Versions of packages xrdp suggests:
pn  guacamole  <none>

Versions of packages xorgxrdp depends on:
ii  libc6                                  2.24-10
pn  xorg-input-abi-24                      <none>
ii  xserver-xorg-core [xorg-video-abi-23]  2:1.19.3-1

Versions of packages xorgxrdp recommends:
ii  xorg  1:7.7+18

Versions of packages xrdp is related to:
pn  vnc-server           <none>
pn  xserver-xorg-legacy  <none>

--- End Message ---

--- Begin Message ---

• To: 860890-done@bugs.debian.org
• Subject: needs ssl-cert membership, does not report the error
• From: Gürkan Myczko <gurkan@phys.ethz.ch>
• Date: Fri, 12 Apr 2024 08:09:52 +0200
• Message-id: <434cbd010727c31c734b88a38973f066@phys.ethz.ch>

please re-open if you prefer the bug open/visible

07:53 < me> what is consensus with wontfix bugs like this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860890 keep open for visibility. or just close because it's even documented in debian/README.Debian ? i'm personally for the latter, but not sure, thus asking 07:53 -zwiebelbot:#debian-devel- Debian#860890: needs ssl-cert membership, does not report the error - https://bugs.debian.org/860890 08:00 < someone> I do not think there is real consensus there. Ii is a judgement call. Having it open/wontfix serves as visible documentation and might avoid getting the same request again. OTOH it clutters the list.

08:02 < someoneelse> I always thought it's up to the maintainer
08:02 < someoneelse> if they want it out of the way, close it

08:02 < someoneelse> if they want it shown to avoid new bugs flowing in (or if they think it's a legit bug but just wontfix, keep it open)

08:03 < someoneelse> so, as nutmeg said

08:07 < me> thank you for your opinions, i will close it and see if nobody complains, if someone complains and prefers option 1, i'll go with that 08:09 < someoneotherelse> me: I also recall it being a maintainer call. generally though I think the bts is for helping the maintainer, so I err on marking stuff as done that is not actionable.
--- End Message ---