Your message dated Thu, 08 Nov 2018 12:19:05 +0000 with message-id <[email protected]> and subject line Bug#912206: fixed in freerdp2 2.0.0~git20180411.1.7a7b1802+dfsg1-3 has caused the Debian Bug report #912206, regarding freerdp2-x11: ERRCONNECT_TLS_CONNECT_FAILED with libssl1.1 1.1.1-1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 912206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912206 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: freerdp2-x11 Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 Severity: normal Dear Maintainer, After upgrading libssl1.1 from 1.1.0h-4 to 1.1.1-1 xfreerdp is no longer able to connect to a computer running Remote Desktop Services on Windows Server 2008 R2 (with default settings as far as I am aware) using TLS security. Connection fails with the following messages: [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_TLS_CONNECT_FAILED [0x00020008] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure Downgrading libssl1.1 to 1.1.0h-4 fixes the issue. To further diagnose the cause, I noticed that the server sends TCP RST in response to the SSL Client Hello message. After some trial and error, I determined that this occurs whenever rsa_pkcs1_sha1 in not the offered signature algorithms, which is the case for SECLEVEL=2 which is the default in the libssl1.1 Debian package since version 1.1.1~~pre6-1. To confirm, this fails: openssl s_client -connect 192.168.0.2:3389 while this works: openssl s_client -cipher DEFAULT@SECLEVEL=1 -connect 192.168.0.2:3389 For further confirmation that rsa_pkcs1_sha1 is responsible, this works: openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs rsa_pkcs1_sha1 -connect 192.168.0.2:3389 while this fails: openssl s_client -cipher DEFAULT@SECLEVEL=1 -sigalgs RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:DSA+SHA1:ECDSA+SHA1 -connect 192.168.0.2:3389 Applying this discovery, it is possible to make xfreerdp work using: xfreerdp /tls-ciphers:DEFAULT@SECLEVEL=1 However, since most users are unlikely to figure this out on their own, I'd suggest calling SSL_CTX_set_security_level to set the security level to 1 or improving the error message to suggest this workaround. Thanks, Kevin -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages freerdp2-x11 depends on: ii libc6 2.27-6 ii libfreerdp-client2-2 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 ii libfreerdp2-2 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 ii libwinpr2-2 2.0.0~git20180411.1.7a7b1802+dfsg1-2+b1 ii libx11-6 2:1.6.7-1 ii libxcursor1 1:1.1.15-1 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxi6 2:1.7.9-1 ii libxinerama1 2:1.1.4-1 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxv1 2:1.0.11-1 freerdp2-x11 recommends no packages. freerdp2-x11 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: freerdp2 Source-Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-3 We believe that the bug you reported is fixed in the latest version of freerdp2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <[email protected]> (supplier of updated freerdp2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Nov 2018 12:08:43 +0100 Source: freerdp2 Binary: freerdp2-x11 libfreerdp2-2 libfreerdp-client2-2 libfreerdp-server2-2 libwinpr2-2 libwinpr-tools2-2 libwinpr2-dev freerdp2-dev winpr-utils libfreerdp-shadow2-2 libfreerdp-shadow-subsystem2-2 freerdp2-shadow-x11 libuwac0-0 libuwac0-dev freerdp2-wayland Architecture: source Version: 2.0.0~git20180411.1.7a7b1802+dfsg1-3 Distribution: unstable Urgency: medium Maintainer: Debian Remote Maintainers <[email protected]> Changed-By: Mike Gabriel <[email protected]> Description: freerdp2-dev - Free Remote Desktop Protocol library (development files) freerdp2-shadow-x11 - FreeRDP x11 shadowing server freerdp2-wayland - RDP client for Windows Terminal Services (wayland client) freerdp2-x11 - RDP client for Windows Terminal Services (X11 client) libfreerdp-client2-2 - Free Remote Desktop Protocol library (client library) libfreerdp-server2-2 - Free Remote Desktop Protocol library (server library) libfreerdp-shadow-subsystem2-2 - FreeRDP Remote Desktop Protocol shadow subsystem libraries libfreerdp-shadow2-2 - FreeRDP Remote Desktop Protocol shadow libraries libfreerdp2-2 - Free Remote Desktop Protocol library (core library) libuwac0-0 - Using wayland as a client library libuwac0-dev - Using wayland as a client (development files) libwinpr-tools2-2 - Windows Portable Runtime Tools library libwinpr2-2 - Windows Portable Runtime library libwinpr2-dev - Windows Portable Runtime library (development files) winpr-utils - Windows Portable Runtime library command line utilities Closes: 912206 Changes: freerdp2 (2.0.0~git20180411.1.7a7b1802+dfsg1-3) unstable; urgency=medium . [ Bernhard Miklautz ] * debian/patches: + Add 0002_set-tls-seclevel.patch. Sets the default TLS security level to 1. Back-ported from ustream (PR 4996). (Closes: #912206). . [ Mike Gabriel ] * debian/patches: + Add patch header to 0002_set-tls-seclevel.patch. * debian/*.symbols: + Add Build-Depends-Package: field. * debian/control: + Bump Standards-Version: to 4.2.1. No changes needed. Checksums-Sha1: 00553e2190e86b7c566d08576a45da3b0199d072 3695 freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.dsc 1227913d2ac651108eea2ddb154bfbc248a5e7f7 42032 freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.debian.tar.xz 14968fd364b9199c58a7e06f6fa6a73c6a25854f 13691 freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.buildinfo Checksums-Sha256: fd00a1ee73c96ca14a915d70a1398864225dad31335fb12db3aa529fb1280f00 3695 freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.dsc f71410cd3cf97a9f8c17d91f3869a534380e6a05345d18e3bc899863dec5cd65 42032 freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.debian.tar.xz 9990a722270f4733bfbc96cbe8ef11a30285923d4bb44d0f6717633fd92b76ac 13691 freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.buildinfo Files: 3130b1c52d9e08eca8407c74540b70d8 3695 x11 optional freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.dsc 41533ee474cc33ab40cc02cf45407406 42032 x11 optional freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3.debian.tar.xz 157e7bba87509231457fc1a43a33d64a 13691 x11 optional freerdp2_2.0.0~git20180411.1.7a7b1802+dfsg1-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlvkJPIVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgAQP/1L9sOv2tb1V0meec2jEkWKG8thN 7uPBeyhBC6FQ0gX6QCC8Cdrk37udDOxeJqFsROGyOkgtewiIklvzyfNvRxxmfqJi 7TH8oobGKBsk/7Iu0OepCORDgf2zRNTP9WYsE93gZ/7NkZvWj5bdvclh+8FBe+o5 BQ9szF5BiLJQIT+zS79hMYKfG5Weq4J31eJW+H/9lJEkuMt1isYWjA1Osm/+C2hf BMEO92QqndX1NKDDRtpe1l2+dW2QGupN/ZozW8xcmCtd9ZbyqcSVtRFOCTUO/+mP SOVQsYEbsgrUlgKK4WuLjr14GXTNjEa1hZHpxiS/Pe+QyPHI1ukjBugHsiTXB0ML z+AIXEZqIxvAcaj0cim6U0sOU/XRIAvbiqFX6Wwx8uEVfUVDHjsAdHoyA8TV6q0e JU04JAvktNiCo0qKMCKL/BJBsKV5BBaixuazp8IAHosBATDa4MFuEvFvnFF4PRS/ /GG7NZF+D6WYVd3JzidMfyMqjA2Sta8V1tdW0Gr9hkCpw8Ly+9fU4nEfl4YFB/DF q8qmjo/YksZfCbKAEC+NJvcGBTpZkhJad11ziiXgnu0B95K4MPsSrmHsoiVMCJYe ED2OLCQQHq1SIL5OvvLtUtmqtcWjTcu57HoxrfN/EdxACx337yc07Nc//IHY8dZV 4wGA8NFfFqkQ8E1B =hS8O -----END PGP SIGNATURE-----
--- End Message ---

