-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect to XRDP #314
Comments
Thank you for the report. I’m not sure how much of the issue is due to IronRDP as opposed to rustls (the TLS backend we are using). I think it could help if you could provide an execution trace with the environment variable |
Sure, you'll find the log file attached. After that log recording, I have tried to change in Cargo.toml file (client) the TLS feature: [features]
# default = ["rustls"]
default = ["native-tls"]
rustls = ["ironrdp-tls/rustls"]
native-tls = ["ironrdp-tls/native-tls"] and I have the exact same error message (it does not seem to activate native-tls). Then, I also changed to
I've also changed the |
Thank you for the detailed report! Much appreciated.
Good catch. This is addressed by #325
The underlying cause is certainly the same.
This is because
Unfortunately, nothing is looking wrong as far as I can see. However, the response to the ClientHello is not included. This is likely because rustls is not able to make any sense of it. Any chance you could record the traffic and send us a pcap? (I recommend wireshark.) One last question: are you able to confirm that TLS is enabled on XRDP at all? Do you have any special configuration? I believe it is supposed to be enabled by default, but I’m not super familiar with it. The immediate failure after sending the ClientHello is suspicious (especially because of the "InvalidContentType" error). IronRDP only supports TLS for securing the RDP transport, and notably there is no desire to support the so-called "Standard RDP Security" (which relies on RC4) because it’s completely broken. A good way to troubleshoot would be to record a pcap of a successful handshake made using mstsc or freerdp as client, and compare with the pcap of the failed handshake made using IronRDP. Maybe the problem is not directly related to TLS, but to how we negotiate the security layer. |
I captured the traces of both connections (IronRDP and MS Remote Desktop) and attached them in the zip file. I can spot differences very early in the communication. Again, the complete trace is inside the zip file mentioned at the beginning of this message. J'espère que ça aidera à la résolution du problème. FYI: the clients are running on macOS 14.1.2 (IronRDP: commit b87627b, MS RDP: 10.9.4 (2161)). |
Merci ! 😛 The pcap provided me with everything I needed to know. In mstsc, the This indicates three security protocols as supported client side, and the server may choose any of them. Standard RDP security is also always considered available by the server, so you could count four. In comparison, IronRDP is sending this: The "TLS security" flag is not set. However, XRDP does not support NLA, and thus attempts to "downgrade" to the standard RDP security protocol: But as mentioned previously, IronRDP purposefully does not support this security protocol, and fails. Good to know: usage of the TLS transport itself is implied by all security protocols except standard RDP security, and it’s not a bug to not specify it again. By not specifying it, we are able to effectively enforce usage of NLA (CredSSP). Roughly, the TLS "security protocol" defined in the RDP protocol is both for wrapping the RDP transport into a TLS transport AND showing the Windows MS logon screen to the user in order to perform a graphical login (modulo the "autologon" option). That is: the authentication is not happening at the network level (using NLA), and the user enters the credentials directly on the remote machine, as if a physical machine was used. This is what differs from the other security protocols. For context, see this "xweet" from @awakecoding (behind the scene, the options shown are enabling or disabling these flags as appropriate). NLA being disabled is problematic for a few reasons. For one, it’s easy to perform man-in-the-middle attacks by exposing a fake RDP server and to collect credentials. Even with the certificate warning, many users are disregarding the warning popup and end up entering their credentials anyway. GoSecure conducted a study by exposing honeypot RDP servers, relying on this NLA → TLS security downgrade. Today, it’s already possible to alter this behavior in the IronRDP client by providing the The user interface for that, however, is less than ideal for many reasons, and I still consider this as a bug. |
The user interface has been fixed in #328
FYI, there is a bug related to scancodes on macOS: #180 |
Thank you very much Benoît for this detailed investigation.
Great news about the scancodes for macOS, I was planning to implement this feature myself. EDIT : I tried the |
Indeed, it’s not expected. Looks like this check fails: IronRDP/crates/ironrdp-connector/src/channel_connection.rs Lines 176 to 181 in bd8df6d
Which could mean that XRDP is advertising a specific ID for a given channel, and then joins it using yet a different channel ID. It’s not clear to me whether this is a bug on XRDP side or IronRDP. I opened a PR for improving the error reporting of this: #329 Do you think you could give it a try and report back? |
The new message is : See attached log for xrdp 0.9.17. I took an other log with both ssl and hybrid after reinstall: When I connect with IronRDP (with ssl), I have this log on server side:
If I use hybrid mode:
I've also tested on a Raspberry Pi5 with xrdp-0.9.21 (stock install). |
I don’t have time for looking into the rest of the logs now. I’ll probably dig a bit more next week. :) Keep me updated if you find anything else! |
I can see in the logs that the standard RDP security was negotiated again.
"selected_protocol=SecurityProtocol(0x0)" means that the server selected the standard RDP security protocol.
Same problem for these:
and
Can you try again using a build from master? I think the latest patches will help with that. Of course, if the standard RDP security is the only available security protocol, there is nothing IronRDP can do. If you forced the "SSL" / "TLS" security protocol using the CLI, and XRDP still selected the standard RDP security protocol, it may be that something is not right on XRDP side… if you are unable to make progress using a new build from master, maybe we could use a pcap again and see if something fishy is happening on either side? |
Hello, I got back to this issue. I've checked out the commit 33c66ed which is HEAD of master at the time of writing.
For some reason, this version does not create the log file, I had to redirect the console output. I'm still unsure about: how to force XRDP to use CredSSP. I have also tested with the Raspberry Pi 5. The message is different, but still no connection. |
@mdenty Thank you for following up!
Oh, this was changed recently in #330.
XRDP doesn’t support CredSSP (NLA). But this should not prevent IronRDP from connecting, because we also support not using NLA ("TLS alone" mode).
Looks good. The warning is because XRDP is likely using a self-signed certificate that is (rightfully) not trusted by your Windows machine. One way to fix this is to install the certificate on your (client) Windows machine. (An organization should typically use a certificate issued by their own CA, or a well-known CA.) So we are back with
You confirmed that everything is working when using FreeRDP and the official Microsoft client, so IronRDP may be a bit too strict. The check is here: IronRDP/crates/ironrdp-connector/src/channel_connection.rs Lines 183 to 190 in 33c66ed
Do you think you could try to remove it ocally and see what happens? It’s safe to send the packets from the "Channel Connection" steps, described below: Ideally I need to see what we have in the "attach user" and "join" packets. Thank you! |
It fails on the next test (line 192) with this message:
I've also removed this test and it now fails with this error message: The log with both tests disabled: I'll try to decode the stream, but I think I already tried and the macOS version of WireShark crashes in this case. I'll have to install it on the Linux side. EDIT: Here is the pcap: |
Thank you! However, it appears that the keys file included in the archive is protected by password so I can’t use it. |
It's not. The zip was created under Ubuntu. I can open it with no issue on my Mac.
|
Oh, thank you! Yes, I think I went to the wrong tab in Wireshark. Apologies. We can see in the trace that XRDP is sending the confirmation message without waiting for the request: However, IronRDP expects the confirmation for a given ID only after sending a join request for it. Incidentally, we had an open issue for sending the join requests in batch and then handling the confirmation in any order: #112 PS: The user channel must also be joined in addition to the "attach user" messages. IronRDP was already doing that as expected. My bad, I misremembered that part. |
I tried to connect after checkout of branch This leads to:
Here is the client side log: And the server side log:
Off topic:
How can I do that with IronRDP? |
Sounds like XRDP doesn’t like something about the Client Info PDU we are sending.
IronRDP is sending these flags:
Do you think you could investigate this further by playing a bit with the flags?
Support for RD Gateway has not yet been evaluated, so it’s probably not possible. However, it would be possible to use a Devolutions Gateway, though I’m not sure this is something you are interested about. |
I tried to disable, one by one, all the flags in
My use case implies that I use a customer's (out of my hands) RDP server AND gateway. |
Maybe another flag is missing? The error shown in XRDP logs is not helping me much.
I can’t tell for sure as I don’t know your use case and other constraints, but many of our customers, including MSPs, are using Devolutions Gateway as a replacement for RD Gateway, and some, in turns, install Gateways in their customers’ infrastructure. |
I have some Ubuntu Linux servers running XRDP (0.9.12 and 0.9.17)
The connection always fails with this error message:
It works fine with a Windows 11 ARM VM.
The text was updated successfully, but these errors were encountered: