You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2022/08/30 23:08:50 UTC

[GitHub] [guacamole-server] jmuehlner commented on a diff in pull request #392: GUACAMOLE-1674: Warn about NLA mode if FIPS mode is enabled, or disable if possible.

jmuehlner commented on code in PR #392:
URL: https://github.com/apache/guacamole-server/pull/392#discussion_r959005258


##########
src/protocols/rdp/settings.c:
##########
@@ -706,12 +707,31 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
     if (strcmp(argv[IDX_SECURITY], "nla") == 0) {
         guac_user_log(user, GUAC_LOG_INFO, "Security mode: NLA");
         settings->security_mode = GUAC_SECURITY_NLA;
+
+        /*
+         * NLA is known not to work with FIPS; allow the mode selection but
+         * warn that it will not work.
+         */
+        if (guac_fips_enabled())
+            guac_user_log(user, GUAC_LOG_WARNING,
+                    "NLA security mode is selected, "
+                    "but is known not to work, as FIPS mode is enabled.");

Review Comment:
   Sure



##########
src/protocols/rdp/settings.c:
##########
@@ -1529,7 +1549,20 @@ void guac_rdp_push_settings(guac_client* client,
         case GUAC_SECURITY_ANY:
             rdp_settings->RdpSecurity = TRUE;
             rdp_settings->TlsSecurity = TRUE;
-            rdp_settings->NlaSecurity = guac_settings->username && guac_settings->password;
+
+            /* Explicitly disable NLA if FIPS mode is enabled - it won't work */
+            if (guac_fips_enabled()) {
+
+                guac_client_log(client, GUAC_LOG_WARNING,
+                        "Disabling NLA security mode when FIPS mode is enabled.");
+                rdp_settings->NlaSecurity = FALSE;
+
+            }
+
+            /* Enable NLA security mode if both username and password are set */
+            else
+                rdp_settings->NlaSecurity = guac_settings->username && guac_settings->password;

Review Comment:
   Ah ok



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org