Hello Nick, Mike, „Guacamole kind of already supports” – can you please clarify how this is supposed to work especially in a docker environment? The documentation lacks anything on exposing a certificate store or how to prepopulate it with trusted certs. Or am I blind?
Thanks, Joachim Von: Joachim Lindenberg <joac...@lindenberg.one> Gesendet: Samstag, 28. März 2020 20:19 An: user@guacamole.apache.org Betreff: AW: freerdp support for certificate fingerprints - also with Guacamole? Hi Nick, Thanks for following up. However, afaik this requires someone to run a freerdp client manually in the same environment that Guacamole is using, and to all hosts relevant. If you want to run Guacamole with docker, then this is pretty cumbersome to do. Also certificates expire, one would then have to redo the manual work. At least in my scenario, I can provide the correct fingerprint dynamically at runtime. Perhaps others should comment, what their experience is.. Thanks, Joachim Von: Nick Couchman <vn...@apache.org <mailto:vn...@apache.org> > Gesendet: Samstag, 28. März 2020 20:06 An: user@guacamole.apache.org <mailto:user@guacamole.apache.org> Betreff: Re: freerdp support for certificate fingerprints - also with Guacamole? On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg <joac...@lindenberg.one <mailto:joac...@lindenberg.one> > wrote: Hello all, I guess most of us are ignoring certificates with RDP. If you are like me and looked at Microsofts documentation how to replace a self-signed certificate, there is a clear trade off… and so far I am running Guacamole on the same physical host then my virtual machines it interfaces to, but I guess this is a rather atypical scenario. You may also argue, NLA/CredSSP is used after TLS connection is established and mitigates the risk, but from a privacy pov at least you disclose communication metadata (including the PDU for Hyper-V connections) prior to that, and if you are located in Europe like me, discussions like this trigger data protection impact assessments… The good news is that FreeRDP now supports to supply known certificate fingerprints starting with <https://github.com/FreeRDP/FreeRDP/pull/5880> https://github.com/FreeRDP/FreeRDP/pull/5880.. I am already leveraging that when my software interfaces to wfreerdp via command line, but with Guacamole I cannot. I definitely would appreciate if that could be added to Guacamole as well, probably as part of the connection properties. Thanks & Best Regards, Joachim Guacamole kind of already supports this - by default, the FreeRDP library tries to create a directory within the current user's home directory, and when Mike was implementing FreeRDP 2 support we ran into the fact that FreeRDP doesn't really take no for an answer, anymore. So, you should be able to add certificates to this store that FreeRDP auto-creates and un-tick that Ignore Certificates box. -Nick
