xrdp is using RDP licensing

[akallabeth]

xrdp version

all?

Detailed xrdp version, build options

No response

Operating system & version

all

Installation method

Doesn't matter

Which backend do you use?

No response

What desktop environment do you use?

No response

Environment xrdp running on

No response

What's your client?

No response

Area(s) with issue?

No response

Steps to reproduce

https://github.com/FreeRDP/FreeRDP/discussions/10270#discussioncomment-9831837

1. configure FreeRDP and xrdp for FIPS
2. see connections failing due to use of RDP licensing (md4, rc4 and other stuff in use)

what I do not understand is why xrdp is sending this packet at all as RDP licensing is optional (and the security broken for ages)

✔️ Expected Behavior

connect

❌ Actual Behavior

fail

Anything else?

No response

[matt335672]

Thanks @akallabeth

I've just been through the docs and I agree - I can't see any point in issuing a Server License Request PDU.

I've also been through the Github history, and even gone to look at the old Sourceforge pages. This code has been in xrdp for ever, it seems - since 2005 anyway.

@jsorg71 - this may be an unfair question given how much time has elapsed, but are you aware of a good reason why we should be implementing [MS-RDPELE] ?

[jsorg71]

It's fair. Wow this goes back to the days before there was documentation. This was written in 2005 and the doc were released in about 2008.

[matt335672]

Technically it's easy enough to remove it for devel to see what happens. I don't know what to do about v0.10 however. Should we keep it in but disabled and provide a setting to re-enable it?

[akallabeth]

@matt335672 My 2 cents: since it is optional/useless (as documented in the protocol specs) and creates huge issues with newer OpenSSL (and others) (md4 and rc4 are then required client side to handle that stuff) it might break more to leave it as is than to remove it.