Bug 1363811 - freerdp doesnt work in FIPS mode
Summary: freerdp doesnt work in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: freerdp
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Ondrej Holy
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-03 15:55 UTC by Joe Wright
Modified: 2020-09-29 08:23 UTC (History)
4 users (show)

Fixed In Version: freerdp-1.0.2-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 11:38:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1347920 0 high CLOSED FreeRDP crashes on system in FIPS mode 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 2411021 0 None None None 2016-08-03 20:27:52 UTC
Red Hat Product Errata RHBA-2018:0724 0 None None None 2018-04-10 11:39:49 UTC

Description Joe Wright 2016-08-03 15:55:01 UTC
Description of problem:


Version-Release number of selected component (if applicable):
- freerdp-1.0.2-6.el7_2.1.x86_64
- freerdp-libs-1.0.2-6.el7_2.1.x86_64
- freerdp-plugins-1.0.2-6.el7_2.1.x86_64

How reproducible:


Steps to Reproduce:
1. enable FIPS mode
2. attempt to connect to a RDP host
3.

Actual results:

[2016-08-03 09:13] user@rhel ~: 
 $sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[2016-08-03 09:13] user@rhel ~: 
 $xfreerdp -d NETSERVICES -g 1680x1020 -u ksf --plugin cliprdr --plugin rdpsnd --plugin drdynvc --data tsmf:audio:pulse -- ws-kodiakbear.sei.cmu.edu
loading plugin cliprdr
loading plugin rdpsnd
loading plugin drdynvc
connected to host:3389
Password: 
md4_dgst.c(74): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Aborted (core dumped)


Expected results:
- successful connection

Additional info:

Comment 3 Joe Wright 2016-08-03 20:22:09 UTC
This issue appears to be identical to the one identified in https://bugzilla.redhat.com/show_bug.cgi?id=1347920 for RHEL 6

Comment 4 Joe Wright 2016-08-03 20:23:27 UTC
https://github.com/FreeRDP/FreeRDP/issues/3412

Comment 6 Ondrej Holy 2017-02-27 13:42:21 UTC
It seems it is fixable. I added some notes to the upstream bug report, however, I didn't have time to propose fix yet, sorry:
https://github.com/FreeRDP/FreeRDP/issues/3412#issuecomment-263958217

Comment 7 Ondrej Holy 2017-11-10 11:33:25 UTC
I proposed the following pull request:
https://github.com/FreeRDP/FreeRDP/pull/3877
which have been superseded by:
https://github.com/FreeRDP/FreeRDP/pull/3904
which will be hopefully merged upstream soon...

Comment 10 Ondrej Holy 2017-11-23 15:59:11 UTC
Just a note that FIPS encryption method is automatically used and NLA authentication is automatically disabled with this build if OpenSSL operates in FIPS mode. NLA can't be used, because FreeRDP implements only NTLM, which requires MD5, which isn't FIPS compliant.

Comment 12 Tomas Hudziec 2018-01-19 14:05:21 UTC
Have tested on x86_64 system running in FIPS mode with freerdp-1.0.2-13.el7.x86_64 and got mentioned error:
md4_dgst.c(75): OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
Aborted (core dumped)

After update to freerdp-1.0.2-14.el7.x86_64 it works fine.

Comment 15 errata-xmlrpc 2018-04-10 11:38:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0724


Note You need to log in before you can comment on or make changes to this bug.