[Bug 264528] net/freerdp: NLA fails to connect through gateway after 13.1 upgrade: rdg_process_close_packet:freerdp_set_last_error_ex E_PROXY_INTERNALERROR [0x800759D8]
Date: Wed, 04 Jan 2023 03:01:38 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264528
--- Comment #19 from alt2600@icloud.com ---
(In reply to VVD from comment #17)
Specifically on my 13.0 box that works, with version 2.7.0 when I posted the
bug report, I will not upgraded the only thing that allows my connections for
remote work, versus 13.1 both report the same. Not even sure it would even
build the new ones without fighting ports not necessarily supporting 13.0
anymore, and again, not messing with my money maker.
> RequestedProtocols: 3
> …
> selected_protocol: 2
also, on the 2.9.0 upgrade on my 13.1 box I noticed upstream noted in their
repos notes on this patch to 2.9.0 some new options to have freerdp use and
internal version of the hmac hashes for md4 and md5 which are needed by rdp but
maybe no longer enabled in our openssl because they are cracked algorithms.
WITH_INTERNAL_MD5 and WITH_INTERNAL_MD4 cmake variables in the winpr
sub-project cmake files in WRKSRC. I would post the patch that enabled them as
options, but despite confirming they were seen in the CMakeCache.txt for the
BUILD dir, they made no seeming difference. I got the same failed connection
message about internal error when I tried to use that version. I had hoped for
the Christmas Miracle the day ahead of some remote work being allowed for the
holidays, but it woudn't connect. I did notice that we seem to be enabling
WITH_MBEDTLS but that gets disabled when using openssl which is also enabled in
the CMAKEARGS, similarly WITH_OPENSLES
per configure:
-- Finding required feature OpenSSL for cryptography (encryption, certificate
validation, hashing functions)
-- Found OpenSSL: /usr/lib/libssl.so;/usr/lib/libcrypto.so (found version
"1.1.1o")
-- Skipping optional feature MbedTLS for cryptography (encryption, certificate
validation, hashing functions)
-- Enable feature MbedTLS using "-DWITH_MBEDTLS=ON"
-- Skipping optional feature OpenSLES for multimedia (OpenSLES audio / video)
-- Enable feature OpenSLES using "-DWITH_OPENSLES=ON"
note sure on the MBEDTLS or why it wouldn't be used, but i do have it
installed, but I do not have opensles seemingly installed so maybe cmake isnt
finding those libraries when built in the wild? Not sure what they do exactly,
but they are in the default CMAKEARGS for the port to be turned on. I just
assume this needs basic openssl, but after going back to the office basic full
time excepting the holidays, I haven't put a lot into testing this much more
except when I see the new releases in ports.
### attempted use patch I don't know it would be good to attach because it
didn't work so I put it inline here. Ignore the bits on OS version checking,
and the bits where it took way to much effort for me to make CMake add the
option to the cache and process its use in the project, reasons to clean the
patch up before I attach too. I had sought to make it auto enable the option if
it was a 13.1 system or newer, but that code never worked so I left them as
knobs, which seemed to not help the situation out in my case. Not sure they
matter as the 2.7.0 version in the old ports tree on my RDP connection VM has
the same message in configure of not actually using them, or maybe no specific
pieces of those. I only mention since this is loosly connected to ssl, so maybe
no issue at all. Did not try turning off OpenSSL leaving those set, and trying
the internal md4 & md5 methods that do the hmac algorithm for them as needed by
rdp protocol.
diff --git a/net/freerdp/Makefile b/net/freerdp/Makefile
index 8481edcbc6f1..c606e485c0f7 100644
--- a/net/freerdp/Makefile
+++ b/net/freerdp/Makefile
@@ -37,7 +37,7 @@ PLIST_SUB+= PATCHVERSION="${PATCHVERSION}"
PLIST_SUB+= MAJORVERSION="${MAJORVERSION}"
OPTIONS_DEFINE= ALSA BROKENFOCUS CUPS FAAC FAAD FFMPEG GSM
GSTREAMER \
- ICU JPEG KERBEROS LAME MANPAGES OPENH264 PCSC \
+ ICU INTERNALMD4 INTERNALMD5 JPEG KERBEROS LAME MANPAGES
OPENH264 PCSC \
PULSEAUDIO SOXR WAYLAND X11
OPTIONS_DEFAULT= CUPS GSTREAMER ICU KERBEROS MANPAGES SWSCALE WAYLAND
X11
OPTIONS_RADIO= SCALE
@@ -84,6 +84,19 @@ GSTREAMER_LIB_DEPENDS=
libgstbase-1.0.so:multimedia/gstreamer1
ICU_LIB_DEPENDS= libicuuc.so:devel/icu
ICU_CMAKE_BOOL= WITH_ICU
+INTERNALMD4_DESC= Use Internal MD4 hashes instead of OpenSSL
+#INTERNALMD4_CMAKE_ON= WITH_INTERNAL_MD4
+INTERNALMD4_CMAKE_BOOL= WITH_INTERNAL_MD4
+#INTERNALMD4_CONFIGURE_ENV+= WITH_INTERNAL_MD4
+#INTERNALMD4_CMAKE_ARGS+= -D WITH_INTERNAL_MD4:BOOL=ON
+
+INTERNALMD5_DESC= Use Internal MD5 hashes instead of OpenSSL
+#INTERNALMD5_CMAKE_ON= -DWITH_INTERNAL_MD5:BOOL=ON
+INTERNALMD5_CMAKE_BOOL= WITH_INTERNAL_MD5
+#INTERNALMD5_CONFIGURE_ENV+= WITH_INTERNAL_MD5
+#INTERNALMD5_CMAKE_ARGS+= -D WITH_INTERNAL_MD5:BOOL=ON
+#INTERNALMD5_CMAKE_ARGS+= -UWITH_INTERNAL_MD5 -DWITH_INTERNAL_MD5:BOOL=ON
+
JPEG_USES= jpeg
JPEG_CMAKE_BOOL= WITH_JPEG
@@ -141,6 +154,19 @@ X11_CMAKE_OFF= -DWITH_X11:BOOL=OFF
-DWITH_XKBFILE:BOOL=OFF
X11_USES= xorg
X11_USE=
xorg=x11,xcursor,xext,xorgproto,xfixes,xi,xinerama,xkbfile,xrandr,xrender,xv
+# Detect freebsd 1301000 and autoenable INTERNALMD4 and INTERNALMD5 for
gateway support
+# Work around rdp using bad legacy hash algorithms and OpenSSL not enabling
them on >13.1
+#.include <bsd.port.options.mk>
+#.if ${OPSYS} == FreeBSD && ${OSVERSION} >= 1301000
+#.if empty(PORT_OPTIONS:MINTERNALMD4) && empty(PORT_OPTIONS:MINTERNALMD5)
+#BROKEN= NLS support requires QT4 frontend. Run 'make config' again!
+#.endif
+#OPTIONS_SET+= INTERNALMD4 INTERNALMD5
+#INTERNALMD4= ON
+#INTERNALMD5= ON
+#.endif
+
+
post-patch:
@${REINPLACE_CMD} -e 's|gsm/gsm.h|gsm.h|' \
${WRKSRC}/cmake/FindGSM.cmake \
@@ -150,4 +176,5 @@ pre-configure:
${CP} ${FILESDIR}/mntent.h ${WRKSRC}/rdtk/include
${CP} ${FILESDIR}/mntent_compat.c ${WRKSRC}/channels/rdpdr/client
+
.include <bsd.port.mk>
--
You are receiving this mail because:
You are the assignee for the bug.