id,summary,reporter,owner,description,type,status,component,version,resolution,keywords,cc,guest,host 11745,VRDP (RDP) server not enforcing specified encryption => Fixed in SVN,rshaw,,"I filed this as a blocker as this is a major security vulnerability. Following the directions described [http://www.virtualbox.org/manual/ch07.html#vrde-crypt here], I have generated certificates using openssl and have instructed VirtualBox to use those certificates for a specified VM. {{{ openssl req -new -x509 -days 365 -extensions v3_ca \ -keyout ca_key_private.pem -out ca_cert.pem }}} {{{ openssl genrsa -out server_key_private.pem }}} {{{ openssl req -new -key server_key_private.pem -out server_req.pem }}} {{{ openssl x509 -req -days 365 -in server_req.pem \ -CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem }}} {{{ vboxmanage modifyvm ""TestVM"" --vrdeproperty ""Security/Method=TLS"" }}} {{{ vboxmanage modifyvm ""TestVM"" \ --vrdeproperty ""Security/CACertificate=/home/ryan/rdp/ca_cert.pem"" }}} {{{ vboxmanage modifyvm ""TestVM"" \ --vrdeproperty ""Security/ServerCertificate=/home/ryan/rdp/server_cert.pem"" }}} {{{ vboxmanage modifyvm ""TestVM"" \ --vrdeproperty ""Security/ServerPrivateKey=/home/ryan/rdp/server_key_private.pem"" }}} vboxmanage showvminfo confirms these settings are set {{{ vboxmanage showvminfo ""TestVM"" }}} {{{ ... VRDE property: TCP/Ports = ""5000-5049"" VRDE property: TCP/Address = VRDE property: VideoChannel/Enabled = VRDE property: VideoChannel/Quality = VRDE property: VideoChannel/DownscaleProtection = VRDE property: Client/DisableDisplay = VRDE property: Client/DisableInput = VRDE property: Client/DisableAudio = VRDE property: Client/DisableUSB = VRDE property: Client/DisableClipboard = VRDE property: Client/DisableUpstreamAudio = VRDE property: Client/DisableRDPDR = VRDE property: H3DRedirect/Enabled = VRDE property: Security/Method = ""TLS"" VRDE property: Security/ServerCertificate = ""/home/ryan/rdp/server_cert.pem"" VRDE property: Security/ServerPrivateKey = ""/home/ryan/rdp/server_key_private.pem"" VRDE property: Security/CACertificate = ""/home/ryan/rdp/ca_cert.pem"" VRDE property: Audio/RateCorrectionMode = ... }}} Start the VM, and try to connect to the RDP session with rdesktop-vrdp {{{ rdesktop-vrdp localhost:5000 }}} No prompts are received about trusting any certificates - the session simply connects. Confirming this: {{{ vboxmanage showvminfo ""TestVM"" --details }}} {{{ ... VRDE Connection: active Clients so far: 6 Start time: 2013/04/23 14:12:25 UTC Sent: 0 Bytes Average speed: 0 B/s Sent total: 0 Bytes Received: 0 Bytes Speed: 0 B/s Received total: 0 Bytes User name: Domain: Client name: Client IP: Client version: 0 Encryption: RDP4 ... }}} Note the encryption is specified as RDP4, NOT TLS as requested. The first command issued, {{{--vrdeproperty ""Security/Method=TLS""}}} states: {{{ TLS - only Enhanced RDP Security is accepted. The client must support TLS. }}} This is not being enforced.",defect,closed,RDP,VirtualBox 4.2.12,fixed,RDP encryption VRDP server,,all,Linux