Hide Forgot
Description of problem: Customer has enabled FIPS mode on Red Hat Enterprise Linux and configured Microsoft Window Server to require FIPS-compliant encryption. When he is trying to connect to Windows 2008 Server from RHEL6, Xfreerdp is crashing on the system. ]$ /usr/bin/xfreerdp -u USERNAME -d SERVER_IP-OR_NAME connected to SERVER_IP:3389 Password: Certificate details: Subject: C = XX, ST = XXXXX, L = XXXXX, O = XXXXX, OU = XXXXXX, CN = XXXXXXX Issuer: DC = xxx, DC = xxx, DC = xxxx, DC = xxxx, CN = xxxx Thumbprint: 16:da:c5:46:90:49:99:8a:dd:5f:3d:91:14:cc:c7:8d:6d:1d:47 The above X.509 certificate could not be verified, possibly because you do not have the CA certificate in your certificate store, or the certificate has expired. Please look at the documentation on how to create local certificate store for a private CA. Do you trust the above certificate? (Y/N) Y md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! Aborted (core dumped) If he disables FIPS encryption, he is able to connect to the server. But the RHEL systems must have FIPS encryption enabled, as per his company's security policies. Customer is using his own CA server and he has tried different security protocols with xfreerdp(eg: --sec tls, --sec rdp), but nothing helped. Version-Release number of selected component (if applicable): freerdp-1.0.2-5.el6 How reproducible: Always Steps to Reproduce: 1. Enable FIPS mode on Red Hat Enterprise Linux 2. Configure Microsoft Window Server to require FIPS-compliant encryption. 3. Try to connect to the Windows system from RHEL6: $ /usr/bin/xfreerdp -u USERNAME -d SERVER_IP-OR_NAME Actual results: Xfreerdp crashes with following error: md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! Expected results: Xfreerdp should work correctly with FIPS mode enabled. Additional info: Upstream bug for this issue files by Ondrej Holy: https://github.com/FreeRDP/FreeRDP/issues/3412
This also affects latest RHEL 7. I've filed the following support request for this critical loss of functionality on our RHEL workstation fleet: https://access.redhat.com/support/cases/#/case/01678942
FIPS support will be hopefully merged upstream soon, see for more details: https://bugzilla.redhat.com/show_bug.cgi?id=1363811#c7
Hello Ondra, I have modified the doc text above. Could you, please, have a look at it and tell me whether its correct content-wise. Thank you Jaroslav
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1897
Hello Ondra, I know this is fixed in FreeRDP 1.0.2. Do you know if the fix is merged to FreeRDP 1.1 stable release? If not, how can I merge your fix into FreeRDP 1.1? I am using FreeRDP with Smartcard plugin under RHEL 5.x platform. Thank you for your help!
(In reply to britt from comment #22) > Hello Ondra, > > I know this is fixed in FreeRDP 1.0.2. Do you know if the fix is merged to > FreeRDP 1.1 stable release? > If not, how can I merge your fix into FreeRDP 1.1? > I am using FreeRDP with Smartcard plugin under RHEL 5.x platform. > > Thank you for your help! This is in regard to FreeRDP issue #3412/#3904.
Please do not abuse old bug reports. Freerdp was never been officially part of RHEL 5. FreeRDP 1.1 is not part of any RHEL version. The best place for such kind of questions is probably the upstream mailing list: https://sourceforge.net/projects/freerdp/lists/freerdp-devel.