How do I enable TLS1.2 in Guacamole?

[Peter Burdine <pb...@gmail.com>]

I have Guacamole up and running and talking to our older 2008r2 servers,
but on a few of them, it would not form an RDP connection no matter what I
tried.  I eventually narrowed it down to the TLS1.1/1.2 patch being
installed (https://support.microsoft.com/en-us/kb/3080079).  Once that is
installed, it appears I cannot get Guacamole to establish an RDP session.

After a bit of seaching, I found you can set the following registry value
which allows the server to drop back and use RDP encryption.  Even after
setting this value, the TLS and NLA will not work from Guacamole, it must
be set to RDP encryption.
HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp\SecurityLayer = 0

If I attempt TLS or NLA, I can see the following message in the Windows
Event log:
An TLS 1.0 connection request was received from a remote client
application, but none of the cipher suites supported by the client
application are supported by the server. The SSL connection request has
failed.

Is there anyway to enable TLS1.1/1.2 instead of using TLS1.0?

Configuration:
CentOS 7.2
Tomcat 8

Thanks,
Peter

Re: How do I enable TLS1.2 in Guacamole?

[Peter Burdine <pb...@gmail.com>]

A bit more info, I ran guad -L debug -f and it shows the following:
guacd[12699]: INFO:     Protocol "rdp" selected
guacd[12699]: INFO:     Connection ID is
"$9a02e0bc-8402-4616-bc67-2bf2378d2a25"
guacd[12699]: INFO:     Security mode: NLA
guacd[12699]: DEBUG:    Client resolution is 1040x1022 at 96 DPI
guacd[12699]: DEBUG:    Using resolution of 1040x1022 at 96 DPI
guacd[12699]: INFO:     Loading keymap "base"
guacd[12699]: INFO:     Loading keymap "en-us-qwerty"
guacd[12699]: DEBUG:    Client cursor image set to generic built-in pointer.
guacd[12699]: DEBUG:    Using raw encoder (audio/L16;rate=44100,channels=2)
with a 44100 byte buffer.
connected to my-server-name-here:3389
creating directory /root/.freerdp/certs
SSL_connect: I/O error
guacd[12699]: ERROR:    Error connecting to RDP server
guacd[12699]: INFO:     Connection did not succeed


I had the following libraries installed when I built guacd (I just rebuilt
it to verify):
Name        : freerdp-devel
Arch        : x86_64
Version     : 1.0.2

Name        : openssl-devel
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e

I confirmed that the RDP server is rejecting TLS1 and accepting TLS1.2 by
using:
openssl s_client -connect my-server-name-here:3389 -tls1_2
openssl s_client -connect my-server-name-here:3389 -tls1

Is there anything else I can look into?

Thanks,
Peter

On Tue, Aug 2, 2016 at 7:11 PM, Peter Burdine <pb...@gmail.com> wrote:

> I have Guacamole up and running and talking to our older 2008r2 servers,
> but on a few of them, it would not form an RDP connection no matter what I
> tried.  I eventually narrowed it down to the TLS1.1/1.2 patch being
> installed (https://support.microsoft.com/en-us/kb/3080079).  Once that is
> installed, it appears I cannot get Guacamole to establish an RDP session.
>
> After a bit of seaching, I found you can set the following registry value
> which allows the server to drop back and use RDP encryption.  Even after
> setting this value, the TLS and NLA will not work from Guacamole, it must
> be set to RDP encryption.
> HKLM\SYSTEM\CurrentControlSet\Control\Terminal
> Server\WinStations\RDP-Tcp\SecurityLayer = 0
>
> If I attempt TLS or NLA, I can see the following message in the Windows
> Event log:
> An TLS 1.0 connection request was received from a remote client
> application, but none of the cipher suites supported by the client
> application are supported by the server. The SSL connection request has
> failed.
>
> Is there anyway to enable TLS1.1/1.2 instead of using TLS1.0?
>
> Configuration:
> CentOS 7.2
> Tomcat 8
>
> Thanks,
> Peter
>