guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Burdine <pburd...@gmail.com>
Subject Re: How do I enable TLS1.2 in Guacamole?
Date Wed, 03 Aug 2016 02:49:56 GMT
A bit more info, I ran guad -L debug -f and it shows the following:
guacd[12699]: INFO:     Protocol "rdp" selected
guacd[12699]: INFO:     Connection ID is
"$9a02e0bc-8402-4616-bc67-2bf2378d2a25"
guacd[12699]: INFO:     Security mode: NLA
guacd[12699]: DEBUG:    Client resolution is 1040x1022 at 96 DPI
guacd[12699]: DEBUG:    Using resolution of 1040x1022 at 96 DPI
guacd[12699]: INFO:     Loading keymap "base"
guacd[12699]: INFO:     Loading keymap "en-us-qwerty"
guacd[12699]: DEBUG:    Client cursor image set to generic built-in pointer.
guacd[12699]: DEBUG:    Using raw encoder (audio/L16;rate=44100,channels=2)
with a 44100 byte buffer.
connected to my-server-name-here:3389
creating directory /root/.freerdp/certs
SSL_connect: I/O error
guacd[12699]: ERROR:    Error connecting to RDP server
guacd[12699]: INFO:     Connection did not succeed


I had the following libraries installed when I built guacd (I just rebuilt
it to verify):
Name        : freerdp-devel
Arch        : x86_64
Version     : 1.0.2

Name        : openssl-devel
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e

I confirmed that the RDP server is rejecting TLS1 and accepting TLS1.2 by
using:
openssl s_client -connect my-server-name-here:3389 -tls1_2
openssl s_client -connect my-server-name-here:3389 -tls1

Is there anything else I can look into?

Thanks,
Peter

On Tue, Aug 2, 2016 at 7:11 PM, Peter Burdine <pburdine@gmail.com> wrote:

> I have Guacamole up and running and talking to our older 2008r2 servers,
> but on a few of them, it would not form an RDP connection no matter what I
> tried.  I eventually narrowed it down to the TLS1.1/1.2 patch being
> installed (https://support.microsoft.com/en-us/kb/3080079).  Once that is
> installed, it appears I cannot get Guacamole to establish an RDP session.
>
> After a bit of seaching, I found you can set the following registry value
> which allows the server to drop back and use RDP encryption.  Even after
> setting this value, the TLS and NLA will not work from Guacamole, it must
> be set to RDP encryption.
> HKLM\SYSTEM\CurrentControlSet\Control\Terminal
> Server\WinStations\RDP-Tcp\SecurityLayer = 0
>
> If I attempt TLS or NLA, I can see the following message in the Windows
> Event log:
> An TLS 1.0 connection request was received from a remote client
> application, but none of the cipher suites supported by the client
> application are supported by the server. The SSL connection request has
> failed.
>
> Is there anyway to enable TLS1.1/1.2 instead of using TLS1.0?
>
> Configuration:
> CentOS 7.2
> Tomcat 8
>
> Thanks,
> Peter
>

Mime
View raw message