Bug 391759 - krdc accept invalid certificates (e.g. self signed) without asking confirmation
Summary: krdc accept invalid certificates (e.g. self signed) without asking confirmation
Status: RESOLVED FIXED
Alias: None
Product: krdc
Classification: Applications
Component: RDP (other bugs)
Version First Reported In: 17.12
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Urs Wolfer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-12 15:16 UTC by Enrico Tagliavini
Modified: 2025-01-21 15:28 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Remmina prompting the user for action (15.06 KB, image/png)
2018-03-12 15:16 UTC, Enrico Tagliavini 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Enrico Tagliavini 2018-03-12 15:16:30 UTC 
Created attachment 111339 [details]
Remmina prompting the user for action

When connecting to an RDP server with self signed or invalid certificate krdc will not prompt the user for decision making, it will simply go ahead and continue, potentially opening to MITM attacks.

The xfreerdp client will instead report the invalid certificate, prompting the user for action, for example:

$ xfreerdp /v:test-rdp
[15:57:01:496] [28780:28781] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[15:57:01:497] [28780:28781] [INFO][com.freerdp.client.x11] - No user name set. - Using login name: testuser
[15:57:01:530] [28780:28781] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[15:57:01:530] [28780:28781] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[15:57:01:530] [28780:28781] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - The hostname used for this connection (test-rdp:3389) 
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - Common Name (CN):
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] -      XRDP
[15:57:01:531] [28780:28781] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details:
        Subject: CN = XRDP
        Issuer: CN = XRDP
        Thumbprint: b3:b1:a6:32:89:48:a0:8c:0a:ae:c4:44:43:5c:9b:d8:39:d2:b3:bb
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N)


Steps to reproduce:
1. install xrdp, it will use a self signed certificate by default (at least it does on fedora)
2. if necessary generate a self signed certificate for xrdp, helper makefile can be found in keygen folder of xrdp source code
3. start xrdp
4. connect with krdc to this freshly created xrdp server

Actual result:
krdc happily connect without complaining about the self singed certificate

Expected result:
krdc should prompt the user showing basic info for the certificate and thumbprint, asking the user for a decision (see also screenshot taken from remmina client)

This seems to be done on purpose as the xfreerdp command started by krdc contains the /cert-ignore option. A better alternative might be the use of /cert-tofu instead of /cert-ignore if not willing to prompt for action?
Comment 1 Enrico Tagliavini 2021-01-22 15:06:15 UTC 
Almost two years and nobody even had a look at this? Guys this is a serious security issue, KRDC accepts any kind of borked / invalid / expired certificates without issue or warning.