guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Johnston" <johnstonj.pub...@codenest.com>
Subject guacd won't connect to secure RDP server with TLS / NLA: "Certificate validation failed"
Date Tue, 31 May 2016 05:33:37 GMT
Hi,

I'm trying to connect to an RDP server that is set up with both TLS and NLA.
The TLS certificate has been signed by a public CA - StartSSL to be specific.
When connecting to the RDP server from a clean Windows 7 install, there are
(1) absolutely no certificate prompts, (2) and NLA is used.  Note that the RDP
server has been configured to remove unsafe protocols and ciphers like SSL 3.0,
RC4, and so on.  A scan of the end-point with Digicert Certificate Inspector
indicates that only TLS 1.0 and TLS 1.1 is available, and ciphers are limited
to:
 * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 * TLS_RSA_WITH_AES_256_CBC_SHA
 * TLS_RSA_WITH_AES_128_CBC_SHA
 * TLS_RSA_WITH_3DES_EDE_CBC_SHA

I can't seem to get this working in guacamole.  I'm using the latest guacd and
guacamole docker images.  In the web interface, I set security mode to NLA, and
entered the username and password.  However it fails to connect.
docker logs guacd reports:

    guacd[22]: INFO:        Certificate validation failed
    guacd[22]: ERROR:       Error connecting to RDP server
    guacd[22]: INFO:        Connection did not succeed
    connected to host.mypublicdomain.com:3389
    SSL_write: Failure in SSL library (protocol error?)
    Authentication failure, check credentials.
    If credentials are valid, the NTLMSSP implementation may be to blame.

My first thought was that the guacd docker image doesn't have the StartSSL root
cert, but examining files in /etc/ssl/certs seems to indicate that is not the
case: I found the right StartCom certificate with identical RSA public key.

If I tick "Ignore server certificate" then the connection works, but obviously
that is not a real solution as it degrades the security.

Is this a bug in guacd?  Or are there some (maybe undocumented) steps needed
to get certificate validation working?

Best regards,

James Johnston



Mime
View raw message