feat(server): add PreSecured transport mode for pre-encrypted connections#1210
Closed
Greg Lamberson (glamberson) wants to merge 1 commit intoDevolutions:masterfrom
Closed
Conversation
…ions Add RdpServerSecurity::PreSecured for deployments where the transport is already secured (TLS WebSocket proxy, SSH tunnel, vsock, etc.). PreSecured advertises PROTOCOL_SSL during X.224 negotiation so the client sees Enhanced RDP Security, but skips the TLS handshake since the underlying stream is already encrypted. The GCC Server Security Data contains ENCRYPTION_LEVEL_NONE, which is the correct response under Enhanced RDP Security per MS-RDPBCGR Section 5.4.1. This is spec-conformant unlike RdpServerSecurity::None, which advertises PROTOCOL_RDP (Standard RDP Security) with zero encryption -- a combination normatively prohibited by Section 5.3.2.
Contributor
Author
|
Per discussion on #1201 , this isn't a workable or correct solution at all. Closing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
RdpServerSecurity::PreSecuredfor deployments where the transport is already secured (TLS WebSocket proxy, SSH tunnel, vsock, etc.).PreSecured advertises
PROTOCOL_SSLduring X.224 negotiation so the client sees Enhanced RDP Security, but skips the TLS handshake since the underlying stream is already encrypted. The GCC Server Security Data containsENCRYPTION_LEVEL_NONE, which is the correct response under Enhanced RDP Security per MS-RDPBCGR Section 5.4.1.This is spec-conformant unlike
RdpServerSecurity::None, which advertisesPROTOCOL_RDP(Standard RDP Security) with zero encryption, a combination normatively prohibited by Section 5.3.2.Adds
with_pre_secured()to the builder API alongside the existingwith_no_security(),with_tls(), andwith_hybrid()methods.Context: discussion on #1201 about the right way to handle pre-secured transports in IronRDP.