Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
forward secrecy support with openssl 1.0.2 #1023
I'm trying to configure tls_ciphers to use something with forward secrecy. I've tried to use the same ciphers list I use for apache httpd (so it's tested and it works) but was not able to get a connection working with XRDP when using these.
Starting point (it works like this):
xrdp logs will show
As far as I know AES256-GCM-SHA384 doesn't provide any forward secrecy. If the server private key is leaked all previously recorded traffic could be decrypted.
So I tried the following:
Trying to connect with xfreerdp or the Windows remote desktop client doesn't work in this case, TLS handshake fails. For example xfreerdp shows
and the xrdp logs are showing
Is it me doing something wrong or is this a bug / unsupported cipher(s)?
Tested clients are Fedora 27 using freerdp 2.0 and Windows 10 remote desktop client
Actually turns out this might be a limitation of the current xrdp code when using openssl 1.0.2 (which is what CentOS / Red Hat are shipping) vs. the newer openssl 1.1 shipped in Fedora. According to the official openssl wiki  the Perfect Forward Secrecy cipher suite must be explicitly enabled in the application or it will be silently ignored. I looked for the mentioned code in xrdp but I didn't found anything like that.
I can also confirm Red Hat / CentOS is patching their default httpd daemon package to activate the Perfect Forward Secrecy cipher suite as can be found in