Bug 391759

Summary: krdc accept invalid certificates (e.g. self signed) without asking confirmation
Product: [Applications] krdc Reporter: Enrico Tagliavini <enrico.tagliavini>
Component: RDPAssignee: Urs Wolfer <uwolfer>
Status: RESOLVED FIXED    
Severity: normal CC: ctrlaltca, rdieter
Priority: NOR    
Version First Reported In: 17.12   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Remmina prompting the user for action

Description Enrico Tagliavini 2018-03-12 15:16:30 UTC 
Created attachment 111339 [details]
Remmina prompting the user for action

When connecting to an RDP server with self signed or invalid certificate krdc will not prompt the user for decision making, it will simply go ahead and continue, potentially opening to MITM attacks.

The xfreerdp client will instead report the invalid certificate, prompting the user for action, for example:

$ xfreerdp /v:test-rdp
[15:57:01:496] [28780:28781] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[15:57:01:497] [28780:28781] [INFO][com.freerdp.client.x11] - No user name set. - Using login name: testuser
[15:57:01:530] [28780:28781] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[15:57:01:530] [28780:28781] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[15:57:01:530] [28780:28781] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - The hostname used for this connection (test-rdp:3389) 
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - Common Name (CN):
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] -      XRDP
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details:
        Subject: CN = XRDP
        Issuer: CN = XRDP
        Thumbprint: b3:b1:a6:32:89:48:a0:8c:0a:ae:c4:44:43:5c:9b:d8:39:d2:b3:bb
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N)


Steps to reproduce:
1. install xrdp, it will use a self signed certificate by default (at least it does on fedora)
2. if necessary generate a self signed certificate for xrdp, helper makefile can be found in keygen folder of xrdp source code
3. start xrdp
4. connect with krdc to this freshly created xrdp server

Actual result:
krdc happily connect without complaining about the self singed certificate

Expected result:
krdc should prompt the user showing basic info for the certificate and thumbprint, asking the user for a decision (see also screenshot taken from remmina client)

This seems to be done on purpose as the xfreerdp command started by krdc contains the /cert-ignore option. A better alternative might be the use of /cert-tofu instead of /cert-ignore if not willing to prompt for action?
Comment 1 Enrico Tagliavini 2021-01-22 15:06:15 UTC 
Almost two years and nobody even had a look at this? Guys this is a serious security issue, KRDC accepts any kind of borked / invalid / expired certificates without issue or warning.