[server terminates connection] Upgrading from 2.x to 3.x SSL read errors after connect

[dolfinus]

Describe the bug

I'm connecting from Manjaro Linux laptop to Windows Server 2016 Standard using Remmina with RDP protocol. Windows server is a part of the domain, but my laptop is not a part of domain (that's important). NLA security protocol is used.

When using FreeRDP 2.11.4 everything is fine: freerdp2_nla.txt

Few days ago Manjaro package freerdp was upgraded:

[2024-04-04T21:42:27+0300] [ALPM] upgraded freerdp (2:2.11.4-1 -> 2:3.4.0-5)

After upgrade RDP connections started to fail: freerdp3_nla.txt

FreeRDP 3.x started using Kerberos for NLA security scheme, but my laptop is not a part of domain, it does not have properly configured /etc/krb5.conf. kinit command is failing with the same error Cannot find KDC for realm "MYREALM" as the RDP does.

To Reproduce
Internal network, cannot provide full connection description.

Expected behavior

Users should be able to connect to Windows Server with domain, without adding device there RDP client is running to the same domain. As it was on FreeRDP 2.x.

Screenshots

Application details

• FreeRDP version (xfreerdp /version): libfreerdp 3.4.0
• Command line used: -
• Output of xfreerdp /buildconfig: -
• OS version connecting to (server side): Windows Server 2016 Standard
• If available the log output from a run with /log-level:trace 2>&1 | tee log.txt: see above
• If you built it yourself add some notes which tag/commit/branch you have used, also your cmake parameters and
  compiler can help

Environment (please complete the following information):

• OS: [e.g. Linux/Windows/Android/..]: Manjaro with Linux kernel 6.8.4-1
• Version/Distribution: [e.g. Debian 10, Windows 2008, Android 10]
• Architecture: [amd64, arm]: x86_64

Additional context

Thank you for reporting a bug!

[akallabeth]

@dolfinus

1. can you retest with xfreerdp or sdl-freerdp?
2. can you post your buildconfig?
3. did you update remmina as well? (I don´t think the old version can handle FreeRDP3)

I suspect a remmina bug with new freerdp3 as there have been many changes and some might have been missed. (did just successfully connect to our test domain with xfreerdp)

[dolfinus]

can you retest with xfreerdp

Yes, just the same issue.

freerdp2_nla.txt - working as expected.
freerdp3_nla.txt - black screen.

can you post your buildconfig?

This is FreeRDP version 2.11.4 (2.11.4)
Build configuration: BUILD_TESTING=OFF BUILTIN_CHANNELS=ON HAVE_AIO_H=1 HAVE_EXECINFO_BACKTRACE=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 HAVE_EXECINFO_H=ON HAVE_EXECINFO_HEADER=1 HAVE_FCNTL_H=1 HAVE_GETLOGIN_R=1 HAVE_GETPWUID_R=1 HAVE_INTTYPES_H=1 HAVE_JOURNALD_H=TRUE HAVE_MATH_C99_LONG_DOUBLE=1 HAVE_PIXMAN_REGION=OFF HAVE_POLL_H=1 HAVE_PTHREAD_MUTEX_TIMEDLOCK=ON HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 HAVE_SYSLOG_H=1 HAVE_SYS_EVENTFD_H=1 HAVE_SYS_FILIO_H= HAVE_SYS_MODEM_H= HAVE_SYS_SELECT_H=1 HAVE_SYS_SOCKIO_H= HAVE_SYS_STRTIO_H= HAVE_SYS_TIMERFD_H=1 HAVE_TM_GMTOFF=1 HAVE_UNISTD_H=1 HAVE_XI_TOUCH_CLASS=1 WITH_ALSA=ON WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_CLIPRDR=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=TRUE WITH_FFMPEG=TRUE WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_GSSAPI=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_IPP=OFF WITH_JPEG=ON WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBSYSTEMD=ON WITH_MACAUDIO=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSLES=OFF WITH_OPENSSL=ON WITH_OSS=ON WITH_PAM=ON WITH_PCSC=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_MODULES=OFF WITH_PULSE=ON WITH_SAMPLE=OFF WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_INSPECT=OFF WITH_SOXR=OFF WITH_SSE2=ON WITH_SWSCALE=ON WITH_THIRD_PARTY=OFF WITH_VAAPI=OFF WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_WAYLAND=ON WITH_WINPR_TOOLS=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XDAMAGE=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XKBFILE=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XSHM=ON WITH_XTEST=ON WITH_XV=ON WITH_ZLIB=ON
Build type:          None
CFLAGS:              -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -fPIC -Wall -Wno-unused-result -Wno-unused-but-set-variable -Wno-deprecated-declarations -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -g -fno-omit-frame-pointer -DWINPR_DLL
Compiler:            GNU, 13.2.1
Target architecture: x64

This is FreeRDP version 3.4.0 (n/a)
Build configuration: BUILD_TESTING=OFF WINPR_HAVE_AIO_H=1 WINPR_HAVE_EXECINFO_BACKTRACE=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 WINPR_HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 WINPR_HAVE_EXECINFO_HEADER=1 WINPR_HAVE_FCNTL_H=1 WINPR_HAVE_GETLOGIN_R=1 WINPR_HAVE_GETPWUID_R=1 WINPR_HAVE_INTTYPES_H=1 WINPR_HAVE_POLL_H=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIB=1 WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= WINPR_HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 WINPR_HAVE_STDBOOL_H=1 WINPR_HAVE_STDINT_H=1 WINPR_HAVE_STRNDUP=1 WINPR_HAVE_SYSLOG_H=1 WINPR_HAVE_SYS_EVENTFD_H=1 WINPR_HAVE_SYS_FILIO_H= WINPR_HAVE_SYS_SELECT_H=1 WINPR_HAVE_SYS_SOCKIO_H= WINPR_HAVE_SYS_TIMERFD_H=1 WINPR_HAVE_TM_GMTOFF=1 WINPR_HAVE_UNISTD_H=1 WINPR_HAVE_UNWIND_H=1 WITH_AAD=ON WITH_ABSOLUTE_PLUGIN_LOAD_PATHS=ON WITH_ADD_PLUGIN_TO_RPATH=OFF WITH_ALSA=ON WITH_BINARY_VERSIONING=ON WITH_CAIRO=OFF WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CLIENT_SDL=ON WITH_CLIENT_SDL_AVAILABLE=1 WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_CODECS=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_EVENTS=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SCHANNEL=OFF WITH_DEBUG_SDL_EVENTS=OFF WITH_DEBUG_SDL_KBD_EVENTS=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_DSP_FFMPEG=ON WITH_DSP_FFMPEG_AVAILABLE=1 WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=ON WITH_FREERDP_DEPRECATED=OFF WITH_FREERDP_DEPRECATED_COMMANDLINE=OFF WITH_FUSE=ON WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_ICU=ON WITH_INTERNAL_MD4=OFF WITH_INTERNAL_MD5=OFF WITH_INTERNAL_RC4=OFF WITH_IPP=OFF WITH_JPEG=ON WITH_KRB5=ON WITH_KRB5_NO_NTLM_FALLBACK=OFF WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBRESSL=OFF WITH_LODEPNG=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_NATIVE_SSPI=OFF WITH_NEON=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSC_PKCS11_LINKED=OFF WITH_OPENSSL=ON WITH_OPUS=OFF WITH_OSS=ON WITH_PCSC=ON WITH_PKCS11=ON WITH_PLATFORM_SERVER=ON WITH_POLL=ON WITH_PROFILER=OFF WITH_PROXY=ON WITH_PROXY_APP=ON WITH_PROXY_EMULATE_SMARTCARD=OFF WITH_PROXY_MODULES=ON WITH_PULSE=ON WITH_RDTK=ON WITH_SAMPLE=ON WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SDL_IMAGE_DIALOGS=OFF WITH_SDL_LINK_SHARED=ON WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_EMULATE=ON WITH_SMARTCARD_INSPECT=OFF WITH_SMARTCARD_PCSC=ON WITH_SOXR=OFF WITH_SSE2=OFF WITH_SWSCALE=ON WITH_SYSTEMD=ON WITH_THIRD_PARTY=OFF WITH_UNICODE_BUILTIN=OFF WITH_URIPARSER=OFF WITH_VAAPI=OFF WITH_VAAPI_AVAILABLE=1 WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_VIDEO_FFMPEG=ON WITH_VIDEO_FFMPEG_AVAILABLE=1 WITH_WAYLAND=ON WITH_WEBVIEW=ON WITH_WEBVIEW_QT=OFF WITH_WINPR_DEPRECATED=OFF WITH_WINPR_TOOLS=ON WITH_WIN_CONSOLE=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XV=ON
Build type:          None
CFLAGS:              -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection -g -ffile-prefix-map=/build/freerdp/src=/usr/src/debug/freerdp -flto=auto -Wall -Wpedantic -Wno-padded -Wno-cast-align -Wno-declaration-after-statement -fPIC -Wall -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -g -fno-omit-frame-pointer
Compiler:            GNU, 13.2.1
Target architecture: x64

did you update remmina as well?

Yes, Remmina was build with -DWITH_FREERDP3=ON for freerdp3 and with -DWITH_FREERDP3=OFF for freerdp2. Otherwise it shows an error that RDP plugin not found.

[hardening]

Hum that's so strange, the connection seems to work perfectly and then we have that read retries exceeded on transport...

[akallabeth]

@dolfinus which openssl are you linking against?
from the logs:

1. the authentication succeeds
2. later the TLS read bails out with a failure
3. reconnect is activated and the loop repeats

[dolfinus]

$ openssl version
OpenSSL 3.2.1 30 Jan 2024

[akallabeth]

@dolfinus and your command line? (might help understanding what is going on here, this is very strange)

[dolfinus]

xfreerdp /v:host:port /cert:ignore /sec:nla /d:myrealm /u:username

RDP server uses self-signed certificate

[akallabeth]

@dolfinus ok, then where is the auto-reconnect in the logs from?

[dolfinus]

where is the auto-reconnect in the logs from?

I don't understand the question. I've changed log level to TRACING and redirected all the outputs to a file. That's it.

[akallabeth]

log entries like these are not possible with your command line:

[18:03:43:407] [133216:00020861] [DEBUG][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport_read_pdu() - -1
[18:03:43:407] [133216:00020861] [DEBUG][com.freerdp.core.rdp] - [rdp_check_fds][0x58c9db0a03e0]: transport_check_fds() - -1
[18:03:43:407] [133216:00020861] [DEBUG][com.freerdp.core] - [freerdp_check_fds]: rdp_check_fds() - -1
[18:03:43:407] [133216:00020861] [INFO][com.freerdp.client.common] - [client_auto_reconnect_ex]: Network disconnect!
[18:03:43:407] [133216:00020861] [INFO][com.freerdp.client.common] - [client_auto_reconnect_ex]: Attempting reconnect (1 of 20)
[18:03:43:407] [133216:00020861] [INFO][com.freerdp.client.common] - [client_common_retry_dialog]: [connection] retry 1/20, delaying 15000ms before next attempt

[dolfinus]

Why do you think so?

[akallabeth]

because of the settings required to reach that code?
FreeRDP_AutoReconnectionEnabled = TRUE but default is FALSE except when /auto-reconnect is added on command line?

[dolfinus]

My freerdp package was installed using Arch Linux package manager, I haven't built it myself. But I don't see anything like that in a build configuration.

I didn't pass /auto-reconnect option to xfreerdp either. More than that, if I pass -auto-reconnect to disable this, I still see Attempting reconnect (1 of 20) in logs

[akallabeth]

@dolfinus ok, did find the reason for that, need to check if that is actually what should happen.

FreeRDP/libfreerdp/core/capabilities.c

Line 226 in 1f3a49c

settings->AutoReconnectionEnabled = (extraFlags & AUTORECONNECT_SUPPORTED) ? TRUE : FALSE;

followed by

FreeRDP/libfreerdp/core/capabilities.c

Line 171 in 1f3a49c

settings->AutoReconnectionEnabled = src->AutoReconnectionEnabled;

can activate it too.

anyway, the main thing is I can´t find anything in the logs that details why the connection breaks up.

can you do a git bisect between current master branch and stable-2.0 branch?
you don´t need to package, just:

git clone https://github.com/freerdp/freerdp
cd freerdp
git bisect start
git bisect bad
git checkout stable-2.0
git bisect good
cmake -GNinja -Bbuild-freerdp -S. -DCMAKE_INSTALL_PREFIX=/tmp/freerdp

then for each commit in the bisect:

cmake --build build-freerdp --target install && /tmp/freerdp/bin/xfreerdp <your args>

and depending on if it works/does not work/does not compile
git bisect good, git bisect bad or git bisect skip until you have the first broken commit?

NOTE: you might need to install build dependencies.

[dolfinus]

Tracked down to 7cef0cb

[akallabeth]

@dolfinus does not look like the commit is correct, no changes to transport or similar.

[dolfinus]

b5e8b419b is fine:
/tmp/freerdp/bin/xfreerdp /v:hostname /cert:ignore /sec:nla /d:admsk /u:msmarty5 /log-level:TRACE 2>&1 > b5e8b419b.log
b5e8b419b.log

[12:32:24:416] [175655:175656] [DEBUG][com.freerdp.core.rdp] - recv Monitor Layout Data PDU (0x37), length: 42
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - recv Synchronize Data PDU (0x1F), length: 22
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - [CONNECTION_STATE_FINALIZATION] received flag FINALIZE_SC_SYNCHRONIZE_PDU| [0x0001]
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - recv Control Data PDU (0x14), length: 26
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - [CONNECTION_STATE_FINALIZATION] received flag FINALIZE_SC_CONTROL_COOPERATE_PDU| [0x0002]
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - recv Control Data PDU (0x14), length: 26
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - [CONNECTION_STATE_FINALIZATION] received flag FINALIZE_SC_CONTROL_GRANTED_PDU| [0x0004]
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - recv Font Map Data PDU (0x28), length: 26
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.rdp] - [CONNECTION_STATE_FINALIZATION] received flag FINALIZE_SC_FONT_MAP_PDU| [0x0008]
[12:32:24:516] [175655:175656] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_FINALIZATION --> CONNECTION_STATE_ACTIVE

7cef0cb8d is failing:
/tmp/freerdp/bin/xfreerdp /v:hostname /cert:ignore /sec:nla /d:admsk /u:msmarty5 /log-level:TRACE 2>&1 > 7cef0cb8d.log
7cef0cb8d.log

[12:34:10:392] [179155:179156] [DEBUG][com.freerdp.core.rdp] - recv Monitor Layout Data PDU (0x37), length: 42
[12:34:10:493] [179155:179156] [DEBUG][com.freerdp.core.transport] - transport_check_fds: transport_read_pdu() - -1
[12:34:10:493] [179155:179156] [DEBUG][com.freerdp.core.rdp] - transport_check_fds() - -1
[12:34:10:494] [179155:179156] [DEBUG][com.freerdp.core.rdp] - [CONNECTION_STATE_FINALIZATION] reset finalize_sc_pdus
[12:34:10:494] [179155:179156] [DEBUG][com.freerdp.core.connection] - rdp_client_transition_to_state CONNECTION_STATE_FINALIZATION --> CONNECTION_STATE_INITIAL

[dolfinus]

I cannot compile commits from 2021 and 2022 because they are not compatible with modern OpenSSL and FFmpeg 6. So there can be a commit with kerberos/auth issue, but I cannot even build it.

But transport_read_pdu() - -1 appears in logs of latest commit in master branch, just before Network disconnect! message:

/tmp/freerdp/bin/xfreerdp /v:hostname /cert:ignore /sec:nla /d:admsk /u:msmarty5 /log-level:TRACE 2>&1 > master.log
master.log

[12:58:39:611] [195060:0002f9f5] [DEBUG][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport_read_pdu() - -1
[12:58:39:611] [195060:0002f9f5] [DEBUG][com.freerdp.core.rdp] - [rdp_check_fds][0x55d6d3ba23e0]: transport_check_fds() - -1
[12:58:39:611] [195060:0002f9f5] [DEBUG][com.freerdp.core] - [freerdp_check_fds]: rdp_check_fds() - -1
[12:58:39:611] [195060:0002f9f5] [INFO][com.freerdp.client.common] - [client_auto_reconnect_ex]: Network disconnect!
[12:58:39:613] [195060:0002f9f5] [DEBUG][com.freerdp.core.rdp] - [rdp_finalize_reset_flags][0x55d6d3ba23e0]: [CONNECTION_STATE_FINALIZATION_CLIENT_SYNC] reset finalize_sc_pdus
[12:58:39:613] [195060:0002f9f5] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x55d6d3ba23e0]: CONNECTION_STATE_FINALIZATION_CLIENT_SYNC --> CONNECTION_STATE_INITIAL

So this may be related.

[akallabeth]

@dolfinus to me this looks like the remote end has a bug.

• can you get log files from the remote why it terminates connection?
• can you identify which change in that commit exactly triggered the problem?

we did fix a lot of protocol violations and that might be one of these cases. (might be wrong, but I got a strong suspicion)
the commit you reference fixes the capability settings to the ones agreed upon by client and server (previously they were not always consistent)

[dolfinus]

I have no access to remote server logs, I'm not an administrator.

[akallabeth]

do you know, by chance, which software is running there? might be able to check if that is known. (doubt it is a direct connection to Windows Server 2016 Standard)

[akallabeth]

as for where there might be the reason:
in capabilities.c we added a few checks. (just ignore new settings, just the changed read functions now split into read and apply you can revert one by one and check where it breaks)

[dolfinus]

I've build xfreerdp with WITH_DEBUG_CAPABILITIES=1:

cmake -GNinja -Bbuild-freerdp -S. --fresh -DCMAKE_INSTALL_PREFIX=/tmp/freerdp -DWITH_DEBUG_CAPABILITIES=1

Here are logs:
b5e8b419b.log
7cef0cb8d.log
master.log

The difference is here:
b5e8b419b

Sending 
GeneralCapabilitySet (length 20):
	osMajorType: 0x0001
	osMinorType: 0x0003
	protocolVersion: 0x0200

vs. 7cef0cb8d:

Sending 
GeneralCapabilitySet (length 20):
	osMajorType: 0x0004
	osMinorType: 0x0007
	protocolVersion: 0x0000

This is caused by:
7cef0cb8d#diff-23782638b8d86b1e888e5cc37a2b4789ddc107c5321803ab4bce2b99563c7aebL253

If I patch master:

diff --git a/libfreerdp/core/capabilities.c b/libfreerdp/core/capabilities.c
index f59b956a8..0762e30d7 100644
--- a/libfreerdp/core/capabilities.c
+++ b/libfreerdp/core/capabilities.c
@@ -166,6 +166,7 @@ static BOOL rdp_apply_general_capability_set(rdpSettings* settings, const rdpSet
                settings->OsMinorType = src->OsMinorType;
        }
 
+       settings->CapsProtocolVersion = src->CapsProtocolVersion;
        settings->NoBitmapCompressionHeader = src->NoBitmapCompressionHeader;
        settings->LongCredentialsSupported = src->LongCredentialsSupported;
        settings->AutoReconnectionPacketSupported = src->AutoReconnectionPacketSupported;

then RDP is working properly:
master_patched.log

This solves #10060 as well.

[dolfinus]

Created #10130

[akallabeth]

@dolfinus nice catch, great work! thank you!