Bug 1363811

Summary: freerdp doesnt work in FIPS mode
Product: Red Hat Enterprise Linux 7 Reporter: Joe Wright <jwright>
Component: freerdpAssignee: Ondrej Holy <oholy>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.2CC: kfiresmith, thudziec, tpelka, vpakolu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freerdp-1.0.2-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 11:38:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joe Wright 2016-08-03 15:55:01 UTC
Description of problem:


Version-Release number of selected component (if applicable):
- freerdp-1.0.2-6.el7_2.1.x86_64
- freerdp-libs-1.0.2-6.el7_2.1.x86_64
- freerdp-plugins-1.0.2-6.el7_2.1.x86_64

How reproducible:


Steps to Reproduce:
1. enable FIPS mode
2. attempt to connect to a RDP host
3.

Actual results:

[2016-08-03 09:13] user@rhel ~: 
 $sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[2016-08-03 09:13] user@rhel ~: 
 $xfreerdp -d NETSERVICES -g 1680x1020 -u ksf --plugin cliprdr --plugin rdpsnd --plugin drdynvc --data tsmf:audio:pulse -- ws-kodiakbear.sei.cmu.edu
loading plugin cliprdr
loading plugin rdpsnd
loading plugin drdynvc
connected to host:3389
Password: 
md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Aborted (core dumped)


Expected results:
- successful connection

Additional info:

Comment 3 Joe Wright 2016-08-03 20:22:09 UTC
This issue appears to be identical to the one identified in https://bugzilla.redhat.com/show_bug.cgi?id=1347920 for RHEL 6

Comment 4 Joe Wright 2016-08-03 20:23:27 UTC
https://github.com/FreeRDP/FreeRDP/issues/3412

Comment 6 Ondrej Holy 2017-02-27 13:42:21 UTC
It seems it is fixable. I added some notes to the upstream bug report, however, I didn't have time to propose fix yet, sorry:
https://github.com/FreeRDP/FreeRDP/issues/3412#issuecomment-263958217

Comment 7 Ondrej Holy 2017-11-10 11:33:25 UTC
I proposed the following pull request:
https://github.com/FreeRDP/FreeRDP/pull/3877
which have been superseded by:
https://github.com/FreeRDP/FreeRDP/pull/3904
which will be hopefully merged upstream soon...

Comment 10 Ondrej Holy 2017-11-23 15:59:11 UTC
Just a note that FIPS encryption method is automatically used and NLA authentication is automatically disabled with this build if OpenSSL operates in FIPS mode. NLA can't be used, because FreeRDP implements only NTLM, which requires MD5, which isn't FIPS compliant.

Comment 12 Tomas Hudziec 2018-01-19 14:05:21 UTC
Have tested on x86_64 system running in FIPS mode with freerdp-1.0.2-13.el7.x86_64 and got mentioned error:
md4_dgst.c(75): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Aborted (core dumped)

After update to freerdp-1.0.2-14.el7.x86_64 it works fine.

Comment 15 errata-xmlrpc 2018-04-10 11:38:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0724