You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Nick Couchman (JIRA)" <ji...@apache.org> on 2019/02/22 10:06:00 UTC
[jira] [Assigned] (GUACAMOLE-694) guacd docker container can't
validate RDP certificate
[ https://issues.apache.org/jira/browse/GUACAMOLE-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Couchman reassigned GUACAMOLE-694:
---------------------------------------
Assignee: Nick Couchman
> guacd docker container can't validate RDP certificate
> -----------------------------------------------------
>
> Key: GUACAMOLE-694
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-694
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-docker
> Affects Versions: 1.0.0
> Reporter: Andrin
> Assignee: Nick Couchman
> Priority: Minor
> Fix For: 1.1.0
>
>
> The guacd docker container marks my certificate as invalid:
> {code:java}
> guacd[5]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started
> guacd[5]: INFO: Listening on host 0.0.0.0, port 4822
> guacd[5]: INFO: Creating new client for protocol "rdp"
> guacd[5]: INFO: Connection ID is "$8791f12e-0d99-4aac-8ddf-b893c60e387c"
> guacd[7]: INFO: Security mode: ANY
> guacd[7]: INFO: Resize method: display-update
> guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" joined connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" (1 users now present)
> guacd[7]: INFO: Loading keymap "base"
> guacd[7]: INFO: Loading keymap "en-us-qwerty"
> connected to winpc.[domainname].com:3389
> creating directory /root/.config/freerdp
> creating directory /root/.config/freerdp/certs
> creating directory /root/.config/freerdp/server
> certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing
> guacd[7]: INFO: Certificate validation failed
> tls_connect: certificate not trusted, aborting.
> Error: protocol security negotiation or connection failure
> guacd[7]: ERROR: Error connecting to RDP server
> guacd[7]: INFO: User "@4dae41b2-c439-4175-9543-39509c737706" disconnected (0 users remain)
> guacd[7]: INFO: Last user of connection "$8791f12e-0d99-4aac-8ddf-b893c60e387c" disconnected
> {code}
> However when connected via Windows & Mac client the certificate is shown as valid. The same with an Centos 7 installation with OpenSSL:
> {code:java}
> # openssl s_client -showcerts -connect winpc.[domainname].com:3389
> CONNECTED(00000003)
> depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = winpc.[domainname].com
> verify return:1
> ---
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
> -----BEGIN CERTIFICATE-----
> [Cert Data]
> -----END CERTIFICATE-----
> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
> -----BEGIN CERTIFICATE-----
> [Cert Data]
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=winpc.[domainname].com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-384, 384 bits
> ---
> SSL handshake has read 4333 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID: 01310000F93A78635295B0F5A5458E9AEC16BF70B72E28052D201B6B8DE6661B
> Session-ID-ctx:
> Master-Key: FFFDC45C96C282A330BF878272FD243783425508ED6CB43492C127431492B04089AC8630E509B42DD909DF042286F913
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1547126917
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
> {code}
> I assume that the ca-certificates package inside the container is missing:
> {code:java}
> root@a218bfbd187e:/# dpkg -l | grep cert
> root@a218bfbd187e:/#
> root@a218bfbd187e:/# ls /etc/ssl/certs/
> ls: cannot access '/etc/ssl/certs/': No such file or directory
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)