freerdp support for certificate fingerprints - also with Guacamole?

[Joachim Lindenberg <jo...@lindenberg.one>]

Hello all,

I guess most of us are ignoring  certificates with RDP. If you are like me
and looked at Microsofts documentation how to replace a self-signed
certificate, there is a clear trade off. and so far I am running Guacamole
on the same physical host then my virtual machines it interfaces to, but I
guess this is a rather atypical scenario. You may also argue, NLA/CredSSP is
used after TLS connection is established and mitigates the risk, but from a
privacy pov at least you disclose communication metadata (including the PDU
for Hyper-V connections) prior to that, and if you are located in Europe
like me, discussions like this trigger data protection impact assessments.

The good news is that FreeRDP now supports to supply known certificate
fingerprints starting with  <https://github.com/FreeRDP/FreeRDP/pull/5880>
https://github.com/FreeRDP/FreeRDP/pull/5880.. I am already leveraging that
when my software interfaces to wfreerdp via command line, but with Guacamole
I cannot.  I definitely would appreciate if that could be added to Guacamole
as well, probably as part of the connection properties.

Thanks & Best Regards, Joachim

 

AW: freerdp support for certificate fingerprints - also with Guacamole?

[Joachim Lindenberg <jo...@lindenberg.one>]

Hi Nick,

Thanks for following up. However, afaik this requires someone to run a freerdp client manually in the same environment that Guacamole is using, and to all hosts relevant.

If you want to run Guacamole with docker, then this is pretty cumbersome to do. Also certificates expire, one would then have to redo the manual work.

At least in my scenario, I can provide the correct fingerprint dynamically at runtime.

Perhaps others should comment, what their experience is..

Thanks,

Joachim

 

Von: Nick Couchman <vn...@apache.org> 
Gesendet: Samstag, 28. März 2020 20:06
An: user@guacamole.apache.org
Betreff: Re: freerdp support for certificate fingerprints - also with Guacamole?

 

On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg <joachim@lindenberg.one <ma...@lindenberg.one> > wrote:

Hello all,

I guess most of us are ignoring  certificates with RDP. If you are like me and looked at Microsofts documentation how to replace a self-signed certificate, there is a clear trade off… and so far I am running Guacamole on the same physical host then my virtual machines it interfaces to, but I guess this is a rather atypical scenario. You may also argue, NLA/CredSSP is used after TLS connection is established and mitigates the risk, but from a privacy pov at least you disclose communication metadata (including the PDU for Hyper-V connections) prior to that, and if you are located in Europe like me, discussions like this trigger data protection impact assessments…

The good news is that FreeRDP now supports to supply known certificate fingerprints starting with  <https://github.com/FreeRDP/FreeRDP/pull/5880> https://github.com/FreeRDP/FreeRDP/pull/5880.. I am already leveraging that when my software interfaces to wfreerdp via command line, but with Guacamole I cannot.  I definitely would appreciate if that could be added to Guacamole as well, probably as part of the connection properties.

Thanks & Best Regards, Joachim

 

Guacamole kind of already supports this - by default, the FreeRDP library tries to create a directory within the current user's home directory, and when Mike was implementing FreeRDP 2 support we ran into the fact that FreeRDP doesn't really take no for an answer, anymore.  So, you should be able to add certificates to this store that FreeRDP auto-creates and un-tick that Ignore Certificates box.

 

-Nick

 

 

Re: freerdp support for certificate fingerprints - also with Guacamole?

[Nick Couchman <vn...@apache.org>]

On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg <jo...@lindenberg.one>
wrote:

> Hello all,
>
> I guess most of us are ignoring  certificates with RDP. If you are like me
> and looked at Microsofts documentation how to replace a self-signed
> certificate, there is a clear trade off… and so far I am running Guacamole
> on the same physical host then my virtual machines it interfaces to, but I
> guess this is a rather atypical scenario. You may also argue, NLA/CredSSP
> is used after TLS connection is established and mitigates the risk, but
> from a privacy pov at least you disclose communication metadata (including
> the PDU for Hyper-V connections) prior to that, and if you are located in
> Europe like me, discussions like this trigger data protection impact
> assessments…
>
> The good news is that FreeRDP now supports to supply known certificate
> fingerprints starting with https://github.com/FreeRDP/FreeRDP/pull/5880..
> I am already leveraging that when my software interfaces to wfreerdp via
> command line, but with Guacamole I cannot.  I definitely would appreciate
> if that could be added to Guacamole as well, probably as part of the
> connection properties.
>
> Thanks & Best Regards, Joachim
>

Guacamole kind of already supports this - by default, the FreeRDP library
tries to create a directory within the current user's home directory, and
when Mike was implementing FreeRDP 2 support we ran into the fact that
FreeRDP doesn't really take no for an answer, anymore.  So, you should be
able to add certificates to this store that FreeRDP auto-creates and
un-tick that Ignore Certificates box.

-Nick