FreeRDP: Connection over gateway doesn't work with OpenSSL 3.0
Describe the bug
Connection over gateway doesn’t work currently with up-to-date master/stable-2.0 branches when build with OpenSSL 3.0. Individual connections to both machines work properly. It also works with older OpenSSL versions. Any idea what might be wrong?
To Reproduce Steps to reproduce the behavior:
- Build freerdp with OpenSSL 3.0, or use e.g.
xfreerdpfrom Fedora rawhide: xfreerdp /v:IP /g:GATEWAYIP /u:USER /p:PASS /redirect-prefer:ip- It fails with:
[11:41:14:369] [335533:335534] [ERROR][com.freerdp.core.gateway.http] - http_response_recv: Retries exceeded
[11:41:14:369] [335533:335534] [ERROR][com.freerdp.core.gateway.http] - 404629DD7E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (MD4 : 84), Properties ()
[11:41:14:369] [335533:335534] [ERROR][com.freerdp.core.gateway.http] - 404629DD7E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:234:
[11:41:14:369] [335533:335534] [ERROR][com.freerdp.core.gateway.http] - 404629DD7E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (MD4 : 84), Properties ()
[11:41:14:369] [335533:335534] [ERROR][com.freerdp.core.gateway.http] - 404629DD7E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:234:
[11:41:14:370] [335533:335534] [ERROR][com.freerdp.core.nego] - Protocol Security Negotiation Failure
[11:41:14:370] [335533:335534] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x0002000C]
[11:41:14:370] [335533:335534] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure
- With #7448 applied on the top, the error changed, but doesn’t work anyway:
[11:44:12:465] [336396:336397] [ERROR][com.freerdp.core] - rdg_process_close_packet:freerdp_set_last_error_ex E_PROXY_INTERNALERROR [0x800759D8]
Expected behavior
FreeRDP connects successfully to IP over GATEWAYIP
Application details
- FreeRDP version (
xfreerdp /version) - Command line used
- Output of
xfreerdp /buildconfig - OS version connecting to (server side) Windows Server 2019
- If available the log output from a run with
/log-level:trace 2>&1 | tee log.txtThere is a log on top of #7448: log.txt. - If you built it yourself add some notes which tag/commit/branch you have used, also your cmake parameters and compiler can help
Environment:
- OS: Linux
- Version/Distribution: Fedora 35
- Architecture: amd64
Additional context
It works fine when hostname is used instead of IP for /v: with https://github.com/FreeRDP/FreeRDP/pull/7448. This might determine the potentially problematic code…
There is a backtrace for freerdp_set_last_error_ex on top of #7448: backtrace.txt.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 1
- Comments: 17 (12 by maintainers)
Since ubuntu 22.04 uses openssl3 I am bugged by this issue too. If allowed, /sec:rdp does indeed work over rdg, but tls based do not. What I observed was that somehow openssl 3 does omit the outermost header. A tls handshake usually stars with 0x16 0x03 0x01 b1 b2 (Hanshake, ssl 3.1, length), but this 5 bytes are missing in the inner ssl connection. Does someone know the inners of openssl and understand how this can happen?
It works in our test setup as well, thanks!
@ondrejholy Gateway does not connect to the RDP server but some web server (IIS on windows, for the log you posted it also uses websockets) maybe that is the key difference?