A bit more info, I ran guad -L debug -f and it shows the following:
guacd[12699]: INFO:     Protocol "rdp" selected
guacd[12699]: INFO:     Connection ID is "$9a02e0bc-8402-4616-bc67-2bf2378d2a25"
guacd[12699]: INFO:     Security mode: NLA
guacd[12699]: DEBUG:    Client resolution is 1040x1022 at 96 DPI
guacd[12699]: DEBUG:    Using resolution of 1040x1022 at 96 DPI
guacd[12699]: INFO:     Loading keymap "base"
guacd[12699]: INFO:     Loading keymap "en-us-qwerty"
guacd[12699]: DEBUG:    Client cursor image set to generic built-in pointer.
guacd[12699]: DEBUG:    Using raw encoder (audio/L16;rate=44100,channels=2) with a 44100 byte buffer.
connected to my-server-name-here:3389
creating directory /root/.freerdp/certs
SSL_connect: I/O error
guacd[12699]: ERROR:    Error connecting to RDP server
guacd[12699]: INFO:     Connection did not succeed

I had the following libraries installed when I built guacd (I just rebuilt it to verify):
Name        : freerdp-devel
Arch        : x86_64
Version     : 1.0.2

Name        : openssl-devel
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e

I confirmed that the RDP server is rejecting TLS1 and accepting TLS1.2 by using:
openssl s_client -connect my-server-name-here:3389 -tls1_2
openssl s_client -connect my-server-name-here:3389 -tls1

Is there anything else I can look into?


On Tue, Aug 2, 2016 at 7:11 PM, Peter Burdine <pburdine@gmail.com> wrote:
I have Guacamole up and running and talking to our older 2008r2 servers, but on a few of them, it would not form an RDP connection no matter what I tried.  I eventually narrowed it down to the TLS1.1/1.2 patch being installed (https://support.microsoft.com/en-us/kb/3080079).  Once that is installed, it appears I cannot get Guacamole to establish an RDP session.

After a bit of seaching, I found you can set the following registry value which allows the server to drop back and use RDP encryption.  Even after setting this value, the TLS and NLA will not work from Guacamole, it must be set to RDP encryption.
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer = 0

If I attempt TLS or NLA, I can see the following message in the Windows Event log:
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Is there anyway to enable TLS1.1/1.2 instead of using TLS1.0?

CentOS 7.2
Tomcat 8