Bug: Remmina fails to connect RDP over TLS

[cyntheticfox]

Describe the bug

Switching to NixOS 22.11, I cannot open a connection to a remote computer via gateway over RDP using Remmina over TLS. This must be package-specific, as I am able to do so fine (even now) with the version on NixOS 22.05.

Steps To Reproduce

Steps to reproduce the behavior:

1. Download applicable rdp file/connection
2. Attempt to connect with Remmina

Expected behavior

A successful opening of the RDP connection.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Only applicable log line generated, even with G_MESSAGES_PREFIXED=all and G_MESSAGES_DEBUG=all set:

[12:54:36:337] [22337:23447] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

I'm limited in what I can provide as this is work-related.

Notify maintainers

@melsigl @ryantm

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.0.10, NixOS, 22.11 (Raccoon), 22.11.20221130.596a8e8`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.0`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[cyntheticfox]

Seems related to the OpenSSL bump, since forcing openssl = openssl_1_1; in the freerdp callPackage gets it to work.

[pietdevries94]

@houstdav000 Thanks for the tip. For the people like me, who need this to work for their job or anything, here is the workaround:

environment.systemPackages = with pkgs; [
  (remmina.override { freerdp = (freerdp.override { openssl = pkgs.openssl_1_1; }); })
];

[mikkel1156]

My logs pointed to the issue being that OpenSSL is looking for the certificates in OpenSSL inside the nix-store (which doesn't exist of course) instead of the OS one. Turning off certificate verification for my connection was a simpler solution for me.

[Majiir]

Do you still have this issue if you use Remmina 1.4.29 from nixos-unstable?

[cyntheticfox]

Well, I don't have this specific issue anymore. Instead of getting ERRCONNECT_TLS_CONNECT_FAILED (0x00020008), I now get ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] with a BIO_read returned a system error 11: Resource temporarily unavailable shortly before, which I suppose I'll need to look up separately now

EDIT: Oh cool, now I seem to get either of these errors when running the same thing multiple times

[graham33]

I have the same issue. It definitely seems to be trying to use a non-existent etc/ssl/certs dir in the openssl directory in the nix store:

[22:18:02:047] [42704:42718] [ERROR][com.freerdp.core.gateway.http] - 401690765E7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/nix/store/4mxnw95jcm5a27qk60z7yc0gvxp42b9a-openssl-3.0.7/etc/ssl/certs)

ls /nix/store/4mxnw95jcm5a27qk60z7yc0gvxp42b9a-openssl-3.0.7/etc/ssl/certs
ls: cannot access '/nix/store/4mxnw95jcm5a27qk60z7yc0gvxp42b9a-openssl-3.0.7/etc/ssl/certs': No such file or directory

I worked around it temporarily with the following overlay:

self: super: {                                                                                                                                                                                                             
  freerdp = super.freerdp.override {                                                                                                                                                                                        
    openssl = self.openssl_1_1;                                                                                                                                                                                             
  };                                                                                                                                                                                                                        
}

In terms of root cause, I haven't investigated in detail, but I wonder if it also makes sense to patch X509_CERT_DIR as well as X509_CERT_FILE (https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/openssl/use-etc-ssl-certs.patch#L8), since it looks like we're rming the dir in the openssl postInstall: https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/openssl/default.nix#L198

[cyntheticfox]

This is starting to hurt a little more with the pending deprecation of OpenSSL v1.1.1 and subsequent marking of the package as insecure.

I might try and see if patching the cert files works

[levigross]

This issue has been resolved by setting SSL_CERT_DIR in the remmina wrapper https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/applications/networking/remote/remmina/default.nix#L70