After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 724135 - Add options to ignore certificate and to disable NLA
Add options to ignore certificate and to disable NLA
Status: RESOLVED DUPLICATE of bug 724133
Product: vinagre
Classification: Applications
Component: RDP
git master
Other Linux
: Normal major
: ---
Assigned To: vinagre-maint
vinagre-maint
Depends on:
Blocks:
 
 
Reported: 2014-02-11 17:14 UTC by Thomas Wendt
Modified: 2014-08-05 10:39 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Patch to add no-nla and ignore-certificate options (12.57 KB, patch)
2014-02-11 17:16 UTC, Thomas Wendt
rejected Details | Review

Description Thomas Wendt 2014-02-11 17:14:48 UTC
As mentioned in #724133 xfreerdp likes to prompt for user input. In my case I can prevent xfreerdp from asking for a password by disabling NLA and prevent it from asking to trust the certificate by disabling verification of the logon certificate.

Attached is a patch to add the two options to the RDP plugin.

In my opinion it would be better if Vinagre would ask the user about trusting the certificate with the possibility to remember the choice. But this would probably need changes to xfreerdp. Alternatively Vinagre could parse the standard output but that seems to be prone for breakage.
Comment 1 Thomas Wendt 2014-02-11 17:16:00 UTC
Created attachment 268818 [details] [review]
Patch to add no-nla and ignore-certificate options
Comment 2 David King 2014-02-17 10:58:52 UTC
Comment on attachment 268818 [details] [review]
Patch to add no-nla and ignore-certificate options

(In reply to comment #0)
> As mentioned in #724133 xfreerdp likes to prompt for user input. In my case I
> can prevent xfreerdp from asking for a password by disabling NLA and prevent it
> from asking to trust the certificate by disabling verification of the logon
> certificate.
> 
> Attached is a patch to add the two options to the RDP plugin.

I do not want to add these options to the RDP plugin. If you need them, it is better to use xfreerdp directly.

> In my opinion it would be better if Vinagre would ask the user about trusting
> the certificate with the possibility to remember the choice. But this would
> probably need changes to xfreerdp. Alternatively Vinagre could parse the
> standard output but that seems to be prone for breakage.

Vinagre should call xfreerdp with the --from-stdin argument, parse the output and then provide the necessary information (by popping up a dialogue and requesting it). Alternatively, the RDP plugin should be rewritten to use the FreeRDP API rather than calling out to the xfreerdp binary.
Comment 3 nathanael 2014-03-25 17:20:47 UTC
So no idea about this particular patch however Vinagre is essentially useless when connecting to RDP hosts. I have the exact same issue (there are multiple bugs in various distro bugzillas about this too btw).

I configure a RDP connection. Since the connection dialogue doesn't allow for password input the connection never actually happens.

If I run Vinagre from the command line there is a password prompt on the terminal. 

Once the password is provided the SSL certificate is rejected and I'm never given the option of accepting it.

These two issues make vinagre absolutely useless for these rdp connections...
Comment 4 Mattias Eriksson 2014-04-15 21:41:04 UTC
(In reply to comment #2)
> (From update of attachment 268818 [details] [review])
> (In reply to comment #0)
> > As mentioned in #724133 xfreerdp likes to prompt for user input. In my case I
> > can prevent xfreerdp from asking for a password by disabling NLA and prevent it
> > from asking to trust the certificate by disabling verification of the logon
> > certificate.
> > 
> > Attached is a patch to add the two options to the RDP plugin.
> 
> I do not want to add these options to the RDP plugin. If you need them, it is
> better to use xfreerdp directly.

That is just a shitty attitude! Why bother using a gui at all then?

> > In my opinion it would be better if Vinagre would ask the user about trusting
> > the certificate with the possibility to remember the choice. But this would
> > probably need changes to xfreerdp. Alternatively Vinagre could parse the
> > standard output but that seems to be prone for breakage.
> 
> Vinagre should call xfreerdp with the --from-stdin argument, parse the output
> and then provide the necessary information (by popping up a dialogue and
> requesting it). Alternatively, the RDP plugin should be rewritten to use the
> FreeRDP API rather than calling out to the xfreerdp binary.

Well, that is all fine! And I bet it will be great when it is done. But it also sounds like it will not happen before the next release.... so I suggest you add this to your TODO-list and then apply this patch in the meantime.
Comment 5 Mattias Eriksson 2014-05-20 12:17:02 UTC
Another month and nobody has implemented the "call xfreerdp with the --from-stdin argument" solution, and (of course) haven't merged the patch. Basically the development on the RDP plugins seems to be non existing, whith the last commit in 2013-08, and developers still will not merge the patch since they hope to build the perfect solution.... well, if it is going to make 3.12 it is time to start working! Or (a totally crazy suggestion) merge the patch (and when you are doing this perfect solution thing, you can remove it).
Comment 6 Stephen 2014-06-18 16:54:07 UTC
This bug has hit me as well. David, is there a plan to change the way xfreerdp is called to resolve this, or is this in need of a developer to take it on?

Mattias, I understand your frustration, but try to be civil, I suspect that this isn't a case of someone refusing to do the work, but more likely not having the time for it.

If you aren't happy with Vinagre, you can always ask for a refund ;)
Comment 7 Mattias Eriksson 2014-06-19 07:47:21 UTC
Stephen, what do you mean "not having the time for it"... someone have made and submitted a patch! Someone sat down and fixed the problem, but they refused it since they wanted to create "the perfect" solution... however, they doesn't seem to have any intention to actually do it. 
And I think I'm perfectly civil, or is it rude to point out that someone is preventing a bug from being fixed?
Comment 8 Stephen 2014-06-19 14:02:32 UTC
The above patch introduces a silent security hole by disabling certificate verification so it's appropriate that it hasn't been added to Vinagre; I'd assume that's why it hasn't been merged.

I would guess Thomas Wendt attached the patch here for end users who want to create their own patched build and are aware of the ramifications, though that's speculative on my part.
Comment 9 Tobias Mueller 2014-07-31 08:48:24 UTC
I am bitten by this "bug" right now.

Only by accident I figured out that it wrote on stdout smth like:

The above X.509 certificate could not be verified, possibly because you do not have the CA certificate in your certificate store, or the certificate has expired. Please look at the documentation on how to create local certificate store for a private CA.
Do you trust the above certificate? (Y/N) 
Error: Could not read answer from stdin.
SSL_write: Failure in SSL library (protocol error?)
Authentication failure, check credentials.
If credentials are valid, the NTLMSSP implementation may be to blame.



It'd be nice to have visual feedback and to be able to somehow import the x509 certificate.

But now I *really* want to connect to that host. So for now, Vinagre would allow me to get things done if I had the option to disable the certificate crap and all.

FTR: xfreerdp --ignore-certificate --sec nla -u 'username' --from-stdin 10.1.2.3
works for me.
Comment 10 David King 2014-07-31 09:12:06 UTC
This was fixed by handling the prompts and certificate requests, in bug 724133.

*** This bug has been marked as a duplicate of bug 724133 ***