[Remmina Users] Remmina reports: Error connecting to RDP server ... TLS connection failed. Check that client and server support a common TLS version.

rpr // rpr.nospam at gmail.com
Thu Aug 8 17:42:41 CEST 2019


Hi!

While trying to connect to a Windows machine with Remmina it warned
about RDP certificate change on the host. I accepted the changed
certificate but then Remmina displayed the following error:
Error connecting to RDP server ... TLS connection failed. Check that
client and server support a common TLS version.

$ remmina --full-version
Remmina plugin glibsecret (type=Secret) has registered but not yet
initialized/activated. Initialization order is 2000.
Secret plugin glibsecret has been successfully initialized and will be
your default secret plugin
StatusNotifier/Appindicator support: your desktop does support it and
libappindicator is compiled in remmina. Good!

Remmina - 1.3.5 (git n/a)

NAME                TYPE            DESCRIPTION
                             PLUGIN AND LIBRARY VERSION
RDP                 Protocol        RDP - Remote Desktop Protocol
                             RDP Plugin: 1.3.5 (git n/a), Compiled
with FreeRDP lib: 2.0.0-dev5 (n/a), Running with FreeRDP lib:
2.0.0-dev5 (rev n/a), H.264: Yes
RDPF                File            RDP - RDP File Handler
                             RDP Plugin: 1.3.5 (git n/a), Compiled
with FreeRDP lib: 2.0.0-dev5 (n/a), Running with FreeRDP lib:
2.0.0-dev5 (rev n/a), H.264: Yes
RDPS                Preference      RDP - Preferences
                             RDP Plugin: 1.3.5 (git n/a), Compiled
with FreeRDP lib: 2.0.0-dev5 (n/a), Running with FreeRDP lib:
2.0.0-dev5 (rev n/a), H.264: Yes
SFTP                Protocol        SFTP - Secure File Transfer
                             1.3.5
SPICE               Protocol        SPICE - Simple Protocol for
Independent Computing Environments  1.3.5
SSH                 Protocol        SSH - Secure Shell
                             1.3.5
VNC                 Protocol        VNC - VNC viewer
                             1.3.5
VNCI                Protocol        VNCI - VNC viewer listen mode
                             1.3.5
glibsecret          Secret          Secure passwords storing in the
GNOME keyring                   1.3.5

Build configuration: HAVE_ARPA_INET_H=1 HAVE_ERRNO_H=1 HAVE_FCNTL_H=1
HAVE_NETDB_H=1 HAVE_NETINET_IN_H=1 HAVE_NETINET_TCP_H=1
HAVE_SYS_SOCKET_H=1 HAVE_SYS_UN_H=1 HAVE_TERMIOS_H=1 HAVE_UNISTD_H=1
WITH_APPINDICATOR=ON WITH_AVAHI=ON WITH_FREERDP=ON WITH_GCRYPT=ON
WITH_GETTEXT=ON WITH_IPP=OFF WITH_KF5WALLET=ON
WITH_LIBRARY_VERSIONING=ON WITH_LIBSECRET=ON WITH_LIBSSH=ON
WITH_LIBVNCSERVER=ON WITH_MANPAGES=ON WITH_SPICE=ON WITH_SSE2=ON
WITH_TRANSLATIONS=ON WITH_VTE=ON
Build type:          None
CFLAGS:              -g -O2
-fdebug-prefix-map=/build/remmina-mSYRua/remmina-1.3.5+ppa201907301631.r7858862.d6078cd2~ubuntu18.04.1=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -fPIC -Wall -g
Compiler:            GNU, 7.4.0
Target architecture: x64

Staring Remmina from command line revealed the following:

[13:15:12:629] [17448:17607] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx rdpdr
[13:15:12:629] [17448:17607] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx rdpsnd
[13:15:12:629] [17448:17607] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx cliprdr
[13:15:12:629] [17448:17607] [INFO][com.freerdp.client.common.cmdline]
- loading channelEx drdynvc
[13:15:12:751] [17448:17607] [WARN][com.freerdp.crypto] - Certificate
verification failure 'unable to get local issuer certificate (20)' at
stack position 0
[13:15:12:751] [17448:17607] [WARN][com.freerdp.crypto] - CN = host.foo.bar
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - The host
key for 192.168.33.108:3389 has changed
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] -
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - @
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] -
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - IT IS
POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - Someone
could be eavesdropping on you right now (man-in-the-middle attack)!
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - It is also
possible that a host key has just been changed.
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - The
fingerprint for the host key sent by the remote host is
8a:35:82:f9:e8:09:76:82:eb:64:76:b1:e6:d6:70:3c:16:16:b1:6a
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - Please
contact your system administrator.
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - Add correct
host key in /home/username/.config/freerdp/known_hosts2 to get rid of
this message.
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - Host key
for 192.168.33.108 has changed and you have requested strict checking.
[13:15:12:751] [17448:17607] [ERROR][com.freerdp.crypto] - Host key
verification failed.
[13:15:12:752] [17448:17607] [WARN][com.freerdp.crypto] - The
VerifyChangedCertificate callback is deprecated, migrate your
application to VerifyChangedCertificateEx
[13:15:14:969] [17448:17607] [ERROR][com.freerdp.crypto] - certificate
not trusted, aborting.
[13:15:14:969] [17448:17607] [ERROR][com.freerdp.core] -
freerdp_set_last_error ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

The issue was resolved by editing ~/.config/freerdp/known_hosts2 and
removing the line for host 192.168.33.108.

I conclude that the message saying "Check that client and server
support a common TLS version" is actually misleading in this case.

For some reason Remmina was not able to update the
~/.config/freerdp/known_hosts2 file after I accepted the changed
certificate.

Any comments?

-- rpr.


More information about the users mailing list