Created attachment 268818 [details] [review]
Patch to add no-nla and ignore-certificate options

Comment on attachment 268818 [details] [review]
Patch to add no-nla and ignore-certificate options

(In reply to comment #0)
> As mentioned in #724133 xfreerdp likes to prompt for user input. In my case I
> can prevent xfreerdp from asking for a password by disabling NLA and prevent it
> from asking to trust the certificate by disabling verification of the logon
> certificate.
> 
> Attached is a patch to add the two options to the RDP plugin.

I do not want to add these options to the RDP plugin. If you need them, it is better to use xfreerdp directly.

> In my opinion it would be better if Vinagre would ask the user about trusting
> the certificate with the possibility to remember the choice. But this would
> probably need changes to xfreerdp. Alternatively Vinagre could parse the
> standard output but that seems to be prone for breakage.

Vinagre should call xfreerdp with the --from-stdin argument, parse the output and then provide the necessary information (by popping up a dialogue and requesting it). Alternatively, the RDP plugin should be rewritten to use the FreeRDP API rather than calling out to the xfreerdp binary.

So no idea about this particular patch however Vinagre is essentially useless when connecting to RDP hosts. I have the exact same issue (there are multiple bugs in various distro bugzillas about this too btw).

I configure a RDP connection. Since the connection dialogue doesn't allow for password input the connection never actually happens.

If I run Vinagre from the command line there is a password prompt on the terminal. 

Once the password is provided the SSL certificate is rejected and I'm never given the option of accepting it.

These two issues make vinagre absolutely useless for these rdp connections...

(In reply to comment #2)
> (From update of attachment 268818 [details] [review])
> (In reply to comment #0)
> > As mentioned in #724133 xfreerdp likes to prompt for user input. In my case I
> > can prevent xfreerdp from asking for a password by disabling NLA and prevent it
> > from asking to trust the certificate by disabling verification of the logon
> > certificate.
> > 
> > Attached is a patch to add the two options to the RDP plugin.
> 
> I do not want to add these options to the RDP plugin. If you need them, it is
> better to use xfreerdp directly.

That is just a shitty attitude! Why bother using a gui at all then?

> > In my opinion it would be better if Vinagre would ask the user about trusting
> > the certificate with the possibility to remember the choice. But this would
> > probably need changes to xfreerdp. Alternatively Vinagre could parse the
> > standard output but that seems to be prone for breakage.
> 
> Vinagre should call xfreerdp with the --from-stdin argument, parse the output
> and then provide the necessary information (by popping up a dialogue and
> requesting it). Alternatively, the RDP plugin should be rewritten to use the
> FreeRDP API rather than calling out to the xfreerdp binary.

Well, that is all fine! And I bet it will be great when it is done. But it also sounds like it will not happen before the next release.... so I suggest you add this to your TODO-list and then apply this patch in the meantime.

Another month and nobody has implemented the "call xfreerdp with the --from-stdin argument" solution, and (of course) haven't merged the patch. Basically the development on the RDP plugins seems to be non existing, whith the last commit in 2013-08, and developers still will not merge the patch since they hope to build the perfect solution.... well, if it is going to make 3.12 it is time to start working! Or (a totally crazy suggestion) merge the patch (and when you are doing this perfect solution thing, you can remove it).

This bug has hit me as well. David, is there a plan to change the way xfreerdp is called to resolve this, or is this in need of a developer to take it on?

Mattias, I understand your frustration, but try to be civil, I suspect that this isn't a case of someone refusing to do the work, but more likely not having the time for it.

If you aren't happy with Vinagre, you can always ask for a refund ;)

Stephen, what do you mean "not having the time for it"... someone have made and submitted a patch! Someone sat down and fixed the problem, but they refused it since they wanted to create "the perfect" solution... however, they doesn't seem to have any intention to actually do it. 
And I think I'm perfectly civil, or is it rude to point out that someone is preventing a bug from being fixed?

The above patch introduces a silent security hole by disabling certificate verification so it's appropriate that it hasn't been added to Vinagre; I'd assume that's why it hasn't been merged.

I would guess Thomas Wendt attached the patch here for end users who want to create their own patched build and are aware of the ramifications, though that's speculative on my part.

I am bitten by this "bug" right now.

Only by accident I figured out that it wrote on stdout smth like:

The above X.509 certificate could not be verified, possibly because you do not have the CA certificate in your certificate store, or the certificate has expired. Please look at the documentation on how to create local certificate store for a private CA.
Do you trust the above certificate? (Y/N) 
Error: Could not read answer from stdin.
SSL_write: Failure in SSL library (protocol error?)
Authentication failure, check credentials.
If credentials are valid, the NTLMSSP implementation may be to blame.



It'd be nice to have visual feedback and to be able to somehow import the x509 certificate.

But now I *really* want to connect to that host. So for now, Vinagre would allow me to get things done if I had the option to disable the certificate crap and all.

FTR: xfreerdp --ignore-certificate --sec nla -u 'username' --from-stdin 10.1.2.3
works for me.

This was fixed by handling the prompts and certificate requests, in bug 724133.

*** This bug has been marked as a duplicate of bug 724133 ***