From nobody Fri Jun 30 14:45:52 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qsymr5K1Wz4kVh3 for ; Fri, 30 Jun 2023 14:46:04 +0000 (UTC) (envelope-from freebsd-current@m.gmane-mx.org) Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qsymq6LWWz44BM for ; Fri, 30 Jun 2023 14:46:03 +0000 (UTC) (envelope-from freebsd-current@m.gmane-mx.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of freebsd-current@m.gmane-mx.org designates 116.202.254.214 as permitted sender) smtp.mailfrom=freebsd-current@m.gmane-mx.org; dmarc=none Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1qFFNq-0009Yr-3Y for freebsd-current@freebsd.org; Fri, 30 Jun 2023 16:46:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: Pierre Pronchery Subject: Re: CURRENT: bhyve: xfreerdp doesn't support OpenSSL 3 yet. Alternatives? Date: Fri, 30 Jun 2023 16:45:52 +0200 Organization: FreeBSD Foundation Message-ID: <105d4fa7-8472-6316-fc15-7ba8dd987974@freebsdfoundation.org> References: <20230629163533.4d430fed@thor.intern.walstatt.dynvpn.de> <20230629183519.7eff8540@thor.intern.walstatt.dynvpn.de> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Content-Language: en-US In-Reply-To: Cc: freebsd-virtualization@freebsd.org X-Spamd-Result: default: False [-1.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; FORGED_SENDER(0.30)[pierre@freebsdfoundation.org,freebsd-current@m.gmane-mx.org]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:24940, ipnet:116.202.0.0/16, country:DE]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[pierre@freebsdfoundation.org,freebsd-current@m.gmane-mx.org]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[freebsdfoundation.org]; TO_DN_NONE(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Qsymq6LWWz44BM X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N Hi everyone, I believe I understand where the issue loading OpenSSL's legacy provider comes from (for MD4 support) and I am currently working on a fix here: https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0-providers Basically the OpenSSL provider module for legacy algorithms is not built correctly, since the switch to OpenSSL 3.0.9 in base. The same goes with the FIPS module, where finding an elegant solution is more difficult than for the legacy one, but I'm getting there. Anyway, I will keep updating this branch until it's ready for a pull-up request, very likely with force-pushes in order to polish the commits before submission. Let me know how it goes! Cheers, -- Pierre On 6/29/23 23:56, Dustin Marquess wrote: > On Jun 29, 2023 at 11:36 AM -0500, FreeBSD User > , wrote: > > Am Thu, 29 Jun 2023 16:41:51 +0200 > Guido Falsi schrieb: > > On 29/06/23 16:35, FreeBSD User wrote: > > Hello, > > running a recent CURRENT, 14.0-CURRENT #10 > main-n263871-fd774e065c5d: Thu Jun 29 05:26:55 > CEST 2023 amd64, xfreerdp (net/freerdp) doesn't working > anymore on Windows 10 guest in > bhyve. It seems OpenSSL 3 is the culprit (see the error > message from xfreerdp below). I > opened already a PR (see: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272281). In a > very quick response I was informed that recent FreeRDP > doesn't support OpenSSL 3 yes > (https://github.com/FreeRDP/FreeRDP/pull/8920). > > Checking for HowTo's setting up bhyve guests, I dodn't > realise any setting for > alternatives to RDP. As I do not fully understand how bhyve > passes through its guest's > framebuffer device/ or native GUI, I'm a bit helpless in > searching for another solution to > contact the Windows10 guest from the X11 desktop of the hosts. > > Trying remmina turns out to be a fail, because in our > installation libsoup2 and libsoup3 > are installed both and remmina complains about having both > symbols, also I realised > remmina seems to utilize net/freerdb as the RDP backend. > > Since I have no clue how to install "blindly" a VNCserver > within the Windows10 guest, I > presume VNC is not an option in any way. > > Is there any way to access the bhyve guest's native > graphical interface? As in the PR shown > above already documented (setup taken from the FreeBSD > Wiki/bhyve), a framebuffer is > already configured. > > It would be nice if someone could give a hint. > > > I had the same issue, with Windows 10 pro hosts, but the fault is in > windows, which, by default, tries to negotiate an ancient > protocol (NTLM > using RC4 if I understand correctly). > > With modern windows RDP servers there are better protocols > available, > you can get them in remmina by forcing "TLS protocolo security" > in the > advanced tab, security protocol negotiation (second row). > > Doing this (after some experimentation with various options) > solved the > issue for me. > > > Thank you very much for the quick response. > > net/remmina is not an option on most of my workstations, since some > required ports install > libsoup3, and remmina complains about having found libsoup2 symbols > as well as libsoup3 > symbols when starting up - and quits. > > Since remmina utilises net/freerdp, I was wondering if I could > enforce TLS security by any > kind of a switch, and trying the following > > xfreerdp /v:192.168.0.128:5900 /u:ohartmann /sec:tls > > resulting in > > [...] > [17:58:18:972] [1702:bb812700] [WARN][com.winpr.utils.ssl] - OpenSSL > LEGACY provider failed to > load, no md4 support available! > [17:58:18:973] [1702:bb812700] [ERROR][com.freerdp.core.transport] - > BIO_read returned an > error: error:12800067:DSO support routines::could not load the > shared library > [17:58:18:973] [1702:bb812700] [ERROR][com.freerdp.core.transport] - > BIO_read returned an > error: error:12800067:DSO support routines::could not load the > shared library > [17:58:18:973] [1702:bb812700] [ERROR][com.freerdp.core.transport] - > BIO_read returned an > error: error:07880025:common libcrypto routines::reason(524325) > [17:58:18:973] > [1702:bb812700] [ERROR][com.freerdp.core] - > transport_read_layer:freerdp_set_last_error_ex > ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] > [17:58:18:981] [1702:bb812700] [ERROR][com.freerdp.core.transport] - > BIO_read returned a > system error 35: Resource temporarily unavailable > [17:58:18:981] [1702:bb812700] [ERROR][com.freerdp.core] - > transport_read_layer:freerdp_set_last_error_ex > ERRCONNECT_CONNECT_TRANSPORT_FAILED > [0x0002000D] [17:58:18:981] [1702:bb812700] > [ERROR][com.freerdp.core] - freerdp_post_connect > failed > > > My setup is > > bhyve -c 4 -m 4G -w -H \ > -s 0,hostbridge \ > -s 3,ahci-hd,/pool/home/ohartmann/bhyve/win10/disk_win10.img \ > -s 5,virtio-net,tap0 \ > -s 29,fbuf,tcp=0.0.0.0:5900,w=1920,h=1200,vga=io \ > -s 30,xhci,tablet \ > -s 31,lpc \ > -l com1,stdio \ > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \ > win10 > > and this is a working image setup a couple of weeks ago when VBox > has been defective on > CURRENT - should say: it worked once. > > I can not interpret the error above. > > bhyve is novel to me and I have to admit that I make some capital > mistakes here - but can't > find satisfying doucumentation ... > > Kind reagrds, > > Oliver > > > RDP would be on the guest's IP using port 3389.  Port 5900 on the host's > IP is bhyve's VNC port, which speaks VNC, not RDP. > > If you want to use VNC, try TigerVNC. > > -Dustin -- Pierre Pronchery