--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: needs ssl-cert membership, does not report the error
- From: Marc Haber <mh+debian-packages@zugschlus.de>
- Date: Fri, 21 Apr 2017 14:38:50 +0200
- Message-id: <149277833025.21096.10461967447978279523.reportbug@swivel.zugschlus.de>
Package: xrdp
Version: 0.9.1-7
Severity: normal
Hi,
I have recently tried to use xrdp with TLS. With delight, I saw that the
package already comes with the normal snake oil certs configured, so I
went ahead and set security_layer=tls in xrdrp.ini, only to find myself
unable to connect any more.
xrdp's log entries are inconclusive:
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42286
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Security layer: requested 3, selected 1
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1482]: (1482)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42288
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Security layer: requested 1, selected 1
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1483]: (1483)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[INFO ] A connection received from: ::ffff:192.168.78.233 port 42290
Apr 21 14:16:21 myhostname xrdp[1368]: (1368)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[INFO ] Using default X.509 key file: /etc/xrdp/key.pem
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Security layer: requested 0, selected 1
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.86.106 port 3389)
Apr 21 14:16:21 myhostname xrdp[1484]: (1484)(140013654559552)[ERROR] Listening socket is in wrong state, terminating listener
After seeing that xrdp is not running as root, I addusered xrdp to
ssl-cert on a hunch, which solved the issue.
At the very least, it should be mentioned in README.Debian that to use
SSL one needs to add the xrdp user to ths ssl-cert group. Ideally, xrdp
would also complain in the logs when it is unable to open the ssl
private key file.
Please also think about documenting whether security_layer=tls will
force TLS to be used or whether a fallback to a lesser security layer
will occur. It would also be nice it the meaning of "Security layer:
requested 0, selected 1" was documented.
Greetings
Marc
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xrdp depends on:
ii adduser 3.115
ii init-system-helpers 1.47
ii libc6 2.24-10
ii libfuse2 2.9.7-1
ii libjpeg62-turbo 1:1.5.1-2
ii libopus0 1.2~alpha2-1
ii libpam0g 1.1.8-3.5
ii libssl1.1 1.1.0e-1
ii libx11-6 2:1.6.4-3
ii libxfixes3 1:5.0.3-1
ii libxrandr2 2:1.5.1-1
ii lsb-base 9.20161125
ii ssl-cert 1.0.38
Versions of packages xrdp recommends:
ii fuse 2.9.7-1
ii xorgxrdp 0.9.1-7
Versions of packages xrdp suggests:
pn guacamole <none>
Versions of packages xorgxrdp depends on:
ii libc6 2.24-10
pn xorg-input-abi-24 <none>
ii xserver-xorg-core [xorg-video-abi-23] 2:1.19.3-1
Versions of packages xorgxrdp recommends:
ii xorg 1:7.7+18
Versions of packages xrdp is related to:
pn vnc-server <none>
pn xserver-xorg-legacy <none>
--- End Message ---
--- Begin Message ---
- To: 860890-done@bugs.debian.org
- Subject: needs ssl-cert membership, does not report the error
- From: Gürkan Myczko <gurkan@phys.ethz.ch>
- Date: Fri, 12 Apr 2024 08:09:52 +0200
- Message-id: <434cbd010727c31c734b88a38973f066@phys.ethz.ch>
please re-open if you prefer the bug open/visible
07:53 < me> what is consensus with wontfix bugs like this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860890 keep open for
visibility. or just close because it's even documented in
debian/README.Debian ?
i'm personally for the latter, but not sure, thus
asking
07:53 -zwiebelbot:#debian-devel- Debian#860890: needs ssl-cert
membership, does not report the error - https://bugs.debian.org/860890
08:00 < someone> I do not think there is real consensus there. Ii is a
judgement call. Having it open/wontfix serves as visible documentation
and might avoid getting the same request again. OTOH it clutters the
list.
08:02 < someoneelse> I always thought it's up to the maintainer
08:02 < someoneelse> if they want it out of the way, close it
08:02 < someoneelse> if they want it shown to avoid new bugs flowing in
(or if they think it's a legit bug but just wontfix, keep it open)
08:03 < someoneelse> so, as nutmeg said
08:07 < me> thank you for your opinions, i will close it and see if
nobody complains, if someone complains and prefers option 1, i'll go
with that
08:09 < someoneotherelse> me: I also recall it being a maintainer call.
generally though I think the bts is for helping the maintainer, so I err
on marking stuff as done that is not actionable.
--- End Message ---