[Bug 264528] net/freerdp: NLA fails to connect through gateway after 13.1 upgrade: rdg_process_close_packet:freerdp_set_last_error_ex E_PROXY_INTERNALERROR [0x800759D8]
Date: Wed, 04 Jan 2023 03:01:38 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264528 --- Comment #19 from alt2600@icloud.com --- (In reply to VVD from comment #17) Specifically on my 13.0 box that works, with version 2.7.0 when I posted the bug report, I will not upgraded the only thing that allows my connections for remote work, versus 13.1 both report the same. Not even sure it would even build the new ones without fighting ports not necessarily supporting 13.0 anymore, and again, not messing with my money maker. > RequestedProtocols: 3 > … > selected_protocol: 2 also, on the 2.9.0 upgrade on my 13.1 box I noticed upstream noted in their repos notes on this patch to 2.9.0 some new options to have freerdp use and internal version of the hmac hashes for md4 and md5 which are needed by rdp but maybe no longer enabled in our openssl because they are cracked algorithms. WITH_INTERNAL_MD5 and WITH_INTERNAL_MD4 cmake variables in the winpr sub-project cmake files in WRKSRC. I would post the patch that enabled them as options, but despite confirming they were seen in the CMakeCache.txt for the BUILD dir, they made no seeming difference. I got the same failed connection message about internal error when I tried to use that version. I had hoped for the Christmas Miracle the day ahead of some remote work being allowed for the holidays, but it woudn't connect. I did notice that we seem to be enabling WITH_MBEDTLS but that gets disabled when using openssl which is also enabled in the CMAKEARGS, similarly WITH_OPENSLES per configure: -- Finding required feature OpenSSL for cryptography (encryption, certificate validation, hashing functions) -- Found OpenSSL: /usr/lib/libssl.so;/usr/lib/libcrypto.so (found version "1.1.1o") -- Skipping optional feature MbedTLS for cryptography (encryption, certificate validation, hashing functions) -- Enable feature MbedTLS using "-DWITH_MBEDTLS=ON" -- Skipping optional feature OpenSLES for multimedia (OpenSLES audio / video) -- Enable feature OpenSLES using "-DWITH_OPENSLES=ON" note sure on the MBEDTLS or why it wouldn't be used, but i do have it installed, but I do not have opensles seemingly installed so maybe cmake isnt finding those libraries when built in the wild? Not sure what they do exactly, but they are in the default CMAKEARGS for the port to be turned on. I just assume this needs basic openssl, but after going back to the office basic full time excepting the holidays, I haven't put a lot into testing this much more except when I see the new releases in ports. ### attempted use patch I don't know it would be good to attach because it didn't work so I put it inline here. Ignore the bits on OS version checking, and the bits where it took way to much effort for me to make CMake add the option to the cache and process its use in the project, reasons to clean the patch up before I attach too. I had sought to make it auto enable the option if it was a 13.1 system or newer, but that code never worked so I left them as knobs, which seemed to not help the situation out in my case. Not sure they matter as the 2.7.0 version in the old ports tree on my RDP connection VM has the same message in configure of not actually using them, or maybe no specific pieces of those. I only mention since this is loosly connected to ssl, so maybe no issue at all. Did not try turning off OpenSSL leaving those set, and trying the internal md4 & md5 methods that do the hmac algorithm for them as needed by rdp protocol. diff --git a/net/freerdp/Makefile b/net/freerdp/Makefile index 8481edcbc6f1..c606e485c0f7 100644 --- a/net/freerdp/Makefile +++ b/net/freerdp/Makefile @@ -37,7 +37,7 @@ PLIST_SUB+= PATCHVERSION="${PATCHVERSION}" PLIST_SUB+= MAJORVERSION="${MAJORVERSION}" OPTIONS_DEFINE= ALSA BROKENFOCUS CUPS FAAC FAAD FFMPEG GSM GSTREAMER \ - ICU JPEG KERBEROS LAME MANPAGES OPENH264 PCSC \ + ICU INTERNALMD4 INTERNALMD5 JPEG KERBEROS LAME MANPAGES OPENH264 PCSC \ PULSEAUDIO SOXR WAYLAND X11 OPTIONS_DEFAULT= CUPS GSTREAMER ICU KERBEROS MANPAGES SWSCALE WAYLAND X11 OPTIONS_RADIO= SCALE @@ -84,6 +84,19 @@ GSTREAMER_LIB_DEPENDS= libgstbase-1.0.so:multimedia/gstreamer1 ICU_LIB_DEPENDS= libicuuc.so:devel/icu ICU_CMAKE_BOOL= WITH_ICU +INTERNALMD4_DESC= Use Internal MD4 hashes instead of OpenSSL +#INTERNALMD4_CMAKE_ON= WITH_INTERNAL_MD4 +INTERNALMD4_CMAKE_BOOL= WITH_INTERNAL_MD4 +#INTERNALMD4_CONFIGURE_ENV+= WITH_INTERNAL_MD4 +#INTERNALMD4_CMAKE_ARGS+= -D WITH_INTERNAL_MD4:BOOL=ON + +INTERNALMD5_DESC= Use Internal MD5 hashes instead of OpenSSL +#INTERNALMD5_CMAKE_ON= -DWITH_INTERNAL_MD5:BOOL=ON +INTERNALMD5_CMAKE_BOOL= WITH_INTERNAL_MD5 +#INTERNALMD5_CONFIGURE_ENV+= WITH_INTERNAL_MD5 +#INTERNALMD5_CMAKE_ARGS+= -D WITH_INTERNAL_MD5:BOOL=ON +#INTERNALMD5_CMAKE_ARGS+= -UWITH_INTERNAL_MD5 -DWITH_INTERNAL_MD5:BOOL=ON + JPEG_USES= jpeg JPEG_CMAKE_BOOL= WITH_JPEG @@ -141,6 +154,19 @@ X11_CMAKE_OFF= -DWITH_X11:BOOL=OFF -DWITH_XKBFILE:BOOL=OFF X11_USES= xorg X11_USE= xorg=x11,xcursor,xext,xorgproto,xfixes,xi,xinerama,xkbfile,xrandr,xrender,xv +# Detect freebsd 1301000 and autoenable INTERNALMD4 and INTERNALMD5 for gateway support +# Work around rdp using bad legacy hash algorithms and OpenSSL not enabling them on >13.1 +#.include <bsd.port.options.mk> +#.if ${OPSYS} == FreeBSD && ${OSVERSION} >= 1301000 +#.if empty(PORT_OPTIONS:MINTERNALMD4) && empty(PORT_OPTIONS:MINTERNALMD5) +#BROKEN= NLS support requires QT4 frontend. Run 'make config' again! +#.endif +#OPTIONS_SET+= INTERNALMD4 INTERNALMD5 +#INTERNALMD4= ON +#INTERNALMD5= ON +#.endif + + post-patch: @${REINPLACE_CMD} -e 's|gsm/gsm.h|gsm.h|' \ ${WRKSRC}/cmake/FindGSM.cmake \ @@ -150,4 +176,5 @@ pre-configure: ${CP} ${FILESDIR}/mntent.h ${WRKSRC}/rdtk/include ${CP} ${FILESDIR}/mntent_compat.c ${WRKSRC}/channels/rdpdr/client + .include <bsd.port.mk> -- You are receiving this mail because: You are the assignee for the bug.