Bug 1347920

Summary: FreeRDP crashes on system in FIPS mode
Product: Red Hat Enterprise Linux 6 Reporter: amit yadav <ayadav>
Component: freerdpAssignee: Ondrej Holy <oholy>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact: Jaroslav Klech <jklech>
Priority: high    
Version: 6.8CC: bgollahe, britt.orrison, cww, jkurik, kfiresmith, mboisver, oholy, thudziec, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freerdp-1.0.2-6.el6 Doc Type: Bug Fix
Doc Text:
*xfreerdp* client now works correctly on systems with enabled FIPS mode Previously, when the *xfreerdp* client was used on systems with enabled FIPS mode, it exited unexpectedly due to usage of FIPS non-compliant encryption algorithms. This update ensures that *xfreerdp* does not exit unexpectedly when it is used with FIPS mode enabled and that FIPS security encryption method is negotiated. As a result, *xfreerdp* now works correctly with the RDP and TLS security protocols on systems with enabled FIPS mode. However, an error now occurs if the Network Level Authentication (NLA) protocol is required, because its implementation requires FIPS non-compliant algorithms.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-19 05:19:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1269194, 1461138, 1492868    

Description amit yadav 2016-06-18 12:57:38 UTC
Description of problem:

Customer has enabled FIPS mode on Red Hat Enterprise Linux and configured Microsoft Window Server to require FIPS-compliant encryption. When he is trying to connect to Windows 2008 Server from RHEL6, Xfreerdp is crashing on the system.


]$ /usr/bin/xfreerdp -u USERNAME -d SERVER_IP-OR_NAME
 
connected to SERVER_IP:3389
Password: 
Certificate details:
	Subject: C = XX, ST = XXXXX, L = XXXXX, O = XXXXX, OU = XXXXXX, CN = XXXXXXX
	Issuer: DC = xxx, DC = xxx, DC = xxxx, DC = xxxx, CN = xxxx
	Thumbprint: 16:da:c5:46:90:49:99:8a:dd:5f:3d:91:14:cc:c7:8d:6d:1d:47
The above X.509 certificate could not be verified, possibly because you do not have the CA certificate 
in your certificate store, or the certificate has expired. Please look at the documentation on how to 
create local certificate store for a private CA. Do you trust the above certificate? (Y/N) Y
md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Aborted (core dumped)


If he disables FIPS encryption, he is able to connect to the server. But the RHEL systems must have FIPS encryption enabled, as per his company's security policies.

Customer is using his own CA server and he has tried different security protocols with xfreerdp(eg: --sec tls, --sec rdp), but nothing helped.

Version-Release number of selected component (if applicable):
freerdp-1.0.2-5.el6

How reproducible:

Always   

Steps to Reproduce:

1. Enable FIPS mode on Red Hat Enterprise Linux
2. Configure Microsoft Window Server to require FIPS-compliant encryption. 
3. Try to connect to the Windows system from RHEL6:

   $ /usr/bin/xfreerdp -u USERNAME -d SERVER_IP-OR_NAME

Actual results:

Xfreerdp crashes with following error:

md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!

Expected results:

Xfreerdp should work correctly with FIPS mode enabled.

Additional info:

Upstream bug for this issue files by Ondrej Holy: https://github.com/FreeRDP/FreeRDP/issues/3412

Comment 3 Kodiak Firesmith 2016-08-03 13:18:33 UTC
This also affects latest RHEL 7.  

I've filed the following support request for this critical loss of functionality on our RHEL workstation fleet:
https://access.redhat.com/support/cases/#/case/01678942

Comment 6 Ondrej Holy 2017-11-10 11:41:04 UTC
FIPS support will be hopefully merged upstream soon, see for more details:
https://bugzilla.redhat.com/show_bug.cgi?id=1363811#c7

Comment 16 Jaroslav Klech 2018-04-06 12:24:21 UTC
Hello Ondra,

I have modified the doc text above. Could you, please, have a look at it and tell me whether its correct content-wise.

Thank you

Jaroslav

Comment 21 errata-xmlrpc 2018-06-19 05:19:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1897

Comment 22 britt 2019-01-22 19:58:29 UTC
Hello Ondra,

I know this is fixed in FreeRDP 1.0.2. Do you know if the fix is merged to FreeRDP 1.1 stable release?
If not, how can I merge your fix into FreeRDP 1.1?
I am using FreeRDP with Smartcard plugin under RHEL 5.x platform.

Thank you for your help!

Comment 23 britt 2019-01-22 20:00:34 UTC
(In reply to britt from comment #22)
> Hello Ondra,
> 
> I know this is fixed in FreeRDP 1.0.2. Do you know if the fix is merged to
> FreeRDP 1.1 stable release?
> If not, how can I merge your fix into FreeRDP 1.1?
> I am using FreeRDP with Smartcard plugin under RHEL 5.x platform.
> 
> Thank you for your help!

This is in regard to FreeRDP issue #3412/#3904.

Comment 24 Ondrej Holy 2019-01-23 08:11:09 UTC
Please do not abuse old bug reports. Freerdp was never been officially part of RHEL 5. FreeRDP 1.1 is not part of any RHEL version. The best place for such kind of questions is probably the upstream mailing list: https://sourceforge.net/projects/freerdp/lists/freerdp-devel.