6

We use OpenSSL on a CentOS 6 server to monitor the certificate on servers for RDP.

To do this we use:

openssl s_client -connect SERVER01:3389 -prexit

This has worked flawlessly until 4 days ago, when it suddenly stops showing that a cert is used and instead shows the following for a single server:

CONNECTED(00000003)
140439032170136:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1539710511
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1539710511
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I have seen that older versions of OpenSSL caused this error, but since the version hasn't change (1.0.1e) and it was working, I cannot see what is wrong.

I've also tried resetting the server's RDP cert, but again no change.

neildeadman
  • 684
  • 4
  • 20
  • 34
  • So RDP TLS connections are working, the issue is the OpenSSL test is failing? – Greg Askew Oct 16 '18 at 19:30
  • That is correct. Suddenly after years of working, is stopped for this one server. Others work as per normal. The openssl server can access it so it's not firewall, and I have tested from other systems and get same result. – neildeadman Oct 16 '18 at 20:32
  • I ran into the same issue a few days ago. Was nobody able to come up with a solution? – Daywalker Apr 29 '21 at 07:01
  • 1
    It sounds your RDP isn't listening over SSL anymore. I think you're looking to openssl, but the problem is at the RDP side – surfingonthenet May 03 '21 at 17:53
  • What happens when you execute the openssl command on another valid HTTPS IP:port? – surfingonthenet May 03 '21 at 17:54
  • @surfingonthenet Openssl is working as expected. The issue started after a dist upgrade to 20.04 LTS. I found this https://github.com/GoSecure/pyrdp where I currently try to extract all the necessary bits from pyrdp-clonecert.py because this is working. I just dont understand why it ever worked in the first place, as I have found on https://corelight.blog/2020/05/13/analyzing-encrypted-rdp-connections/ that there is a protocoll called X.224 that needs to be done before TLS is even initiating. So in my understanding this should have never worked in the first place? Or openssl removed something? – Daywalker May 04 '21 at 06:32
  • @Daywalker, yep, that sounds it's not working over SSL/TLS. If you execute the same openssl command to another service with no SSL (i.e. to port 80), you'll get a similar result – surfingonthenet May 04 '21 at 17:57
  • @surfingonthenet But I'd still like to know why it was working before... Anybody here who is good at studying a changelogs from Openssl (included in Ubuntu 18.04 LTS to 20.04 LTS)? – Daywalker May 04 '21 at 18:57
  • 1
    I'd check cipher suite or TLS version default changes between 18.04 and 20.04. The newer OS might default to a more secure set that doesn't have any matches with what is enabled on the Windows server. You might also be able to see the mismatch in a packet capture during the TLS handshake. – Ryan Bolger May 05 '21 at 16:25
  • Can you make sure that there is no deep inspection firewall in between which may stop the traffic? – Bernhard Nov 03 '21 at 12:39

0 Answers0