Bug 1347920 - FreeRDP crashes on system in FIPS mode
Summary: FreeRDP crashes on system in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: freerdp
Version: 6.8
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Ondrej Holy
QA Contact: Desktop QE
Jaroslav Klech
URL:
Whiteboard:
Depends On:
Blocks: 1269194 1461138 1492868
TreeView+ depends on / blocked
 
Reported: 2016-06-18 12:57 UTC by amit yadav
Modified: 2019-06-05 06:40 UTC (History)
9 users (show)

Fixed In Version: freerdp-1.0.2-6.el6
Doc Type: Bug Fix
Doc Text:
*xfreerdp* client now works correctly on systems with enabled FIPS mode Previously, when the *xfreerdp* client was used on systems with enabled FIPS mode, it exited unexpectedly due to usage of FIPS non-compliant encryption algorithms. This update ensures that *xfreerdp* does not exit unexpectedly when it is used with FIPS mode enabled and that FIPS security encryption method is negotiated. As a result, *xfreerdp* now works correctly with the RDP and TLS security protocols on systems with enabled FIPS mode. However, an error now occurs if the Network Level Authentication (NLA) protocol is required, because its implementation requires FIPS non-compliant algorithms.
Clone Of:
Environment:
Last Closed: 2018-06-19 05:19:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2411021 None None None 2016-06-28 10:04:00 UTC
Red Hat Product Errata RHBA-2018:1897 None None None 2018-06-19 05:19:43 UTC

Internal Links: 1363811

Description amit yadav 2016-06-18 12:57:38 UTC
Description of problem:

Customer has enabled FIPS mode on Red Hat Enterprise Linux and configured Microsoft Window Server to require FIPS-compliant encryption. When he is trying to connect to Windows 2008 Server from RHEL6, Xfreerdp is crashing on the system.


]$ /usr/bin/xfreerdp -u USERNAME -d SERVER_IP-OR_NAME
 
connected to SERVER_IP:3389
Password: 
Certificate details:
	Subject: C = XX, ST = XXXXX, L = XXXXX, O = XXXXX, OU = XXXXXX, CN = XXXXXXX
	Issuer: DC = xxx, DC = xxx, DC = xxxx, DC = xxxx, CN = xxxx
	Thumbprint: 16:da:c5:46:90:49:99:8a:dd:5f:3d:91:14:cc:c7:8d:6d:1d:47
The above X.509 certificate could not be verified, possibly because you do not have the CA certificate 
in your certificate store, or the certificate has expired. Please look at the documentation on how to 
create local certificate store for a private CA. Do you trust the above certificate? (Y/N) Y
md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Aborted (core dumped)


If he disables FIPS encryption, he is able to connect to the server. But the RHEL systems must have FIPS encryption enabled, as per his company's security policies.

Customer is using his own CA server and he has tried different security protocols with xfreerdp(eg: --sec tls, --sec rdp), but nothing helped.

Version-Release number of selected component (if applicable):
freerdp-1.0.2-5.el6

How reproducible:

Always   

Steps to Reproduce:

1. Enable FIPS mode on Red Hat Enterprise Linux
2. Configure Microsoft Window Server to require FIPS-compliant encryption. 
3. Try to connect to the Windows system from RHEL6:

   $ /usr/bin/xfreerdp -u USERNAME -d SERVER_IP-OR_NAME

Actual results:

Xfreerdp crashes with following error:

md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!

Expected results:

Xfreerdp should work correctly with FIPS mode enabled.

Additional info:

Upstream bug for this issue files by Ondrej Holy: https://github.com/FreeRDP/FreeRDP/issues/3412

Comment 3 Kodiak Firesmith 2016-08-03 13:18:33 UTC
This also affects latest RHEL 7.  

I've filed the following support request for this critical loss of functionality on our RHEL workstation fleet:
https://access.redhat.com/support/cases/#/case/01678942

Comment 6 Ondrej Holy 2017-11-10 11:41:04 UTC
FIPS support will be hopefully merged upstream soon, see for more details:
https://bugzilla.redhat.com/show_bug.cgi?id=1363811#c7

Comment 16 Jaroslav Klech 2018-04-06 12:24:21 UTC
Hello Ondra,

I have modified the doc text above. Could you, please, have a look at it and tell me whether its correct content-wise.

Thank you

Jaroslav

Comment 21 errata-xmlrpc 2018-06-19 05:19:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1897

Comment 22 britt 2019-01-22 19:58:29 UTC
Hello Ondra,

I know this is fixed in FreeRDP 1.0.2. Do you know if the fix is merged to FreeRDP 1.1 stable release?
If not, how can I merge your fix into FreeRDP 1.1?
I am using FreeRDP with Smartcard plugin under RHEL 5.x platform.

Thank you for your help!

Comment 23 britt 2019-01-22 20:00:34 UTC
(In reply to britt from comment #22)
> Hello Ondra,
> 
> I know this is fixed in FreeRDP 1.0.2. Do you know if the fix is merged to
> FreeRDP 1.1 stable release?
> If not, how can I merge your fix into FreeRDP 1.1?
> I am using FreeRDP with Smartcard plugin under RHEL 5.x platform.
> 
> Thank you for your help!

This is in regard to FreeRDP issue #3412/#3904.

Comment 24 Ondrej Holy 2019-01-23 08:11:09 UTC
Please do not abuse old bug reports. Freerdp was never been officially part of RHEL 5. FreeRDP 1.1 is not part of any RHEL version. The best place for such kind of questions is probably the upstream mailing list: https://sourceforge.net/projects/freerdp/lists/freerdp-devel.


Note You need to log in before you can comment on or make changes to this bug.