使用TLS警报的[MS-CSSP]身份验证失败通知 [英] [MS-CSSP] Authentication Failure Notification with TLS Alerts

问题描述

我刚刚修复了FreeRDP服务器代码中有关NLA身份验证失败的错误，这是我在规范中从未见过的内容（ MS-CSSP和NLA的相关规范）。身份验证失败时，Microsoft RDP服务器
发送TLS警报，其级别设置为致命，描述代码设置为"拒绝访问"。 （49）。默认情况下，OpenSSL只是在关闭连接时发送关闭通知，这会将级别设置为警告并且描述代码为0。

I just fixed a bug in the FreeRDP server code with regards to NLA authentication failure, and it is something which I've never seen in the specs (MS-CSSP and related specs for NLA). When authentication fails, a TLS alert is sent by the Microsoft RDP server with the level set to fatal and the description code set to "Access Denied" (49). By default, OpenSSL just sends a close notification when closing the connection, which gives a level set to warning and a description code of 0.

症状有点奇怪：win7 mstsc会挂起当NLA失败并且FreeRDP服务器已通过关闭通知TLS警报关闭连接时连接上。与win7 mstsc不同，Win8 mstsc会因某种原因检测到断开连接。在win7 mstsc和windows server 2008 r2之间获取
a数据包捕获并在wireshark中解密它（网络监视器显然不支持TLS警报）我注意到Microsoft RDP服务器正在关闭与拒绝访问（49）TLS的连接警报。
当mstsc在NLA期间收到此TLS警报时，它会立即再次显示密码提示，说明凭据无效。

The symptoms were a bit odd: win7 mstsc would hang on the connection when NLA failed and the FreeRDP server had closed the connection with a close notify TLS alert. Win8 mstsc would detect the disconnection for some reason, unlike win7 mstsc. After taking a packet capture between win7 mstsc and windows server 2008 r2 and decrypting it in wireshark (network monitor does not support TLS alerts apparently) I noticed that the Microsoft RDP server was closing the connection with an Access Denied (49) TLS alert. When mstsc gets this TLS alert during NLA, it immediately shows a password prompt again saying the credentials were invalid.

我修改了FreeRDP服务器以终止与Access的TLS连接拒绝（49）TLS警报和繁荣，mstsc突然响应由于身份验证失败导致的TLS断开连接。这解决了一个长期存在的谜团，即mstsc
"知道"断开连接是由身份验证失败引起的，而NLA中没有这样的明确消息。

I modified the FreeRDP server to terminate the TLS connection with an Access Denied (49) TLS alert and boom, mstsc suddenly responds correctly to the TLS disconnection due to authentication failure. This resolves a long standing mystery of how exactly mstsc "knew" that the disconnection was caused by an authentication failure, while there was no such explicit message described in NLA.

这不是一个问题，因为我已经知道了答案，但我只是报告因此规格可以相应更新。我唯一的问题是，如果Microsoft RDP服务器可以使用其他有意义的TLS警报代码，那么我可以
确保FreeRDP正确使用它们。

It's not really a question since I already know the answer, but I'm just reporting it so the specs can be updated accordingly. The only question I would have is if the Microsoft RDP server can make use of other TLS alert codes which meaningful, so I can make sure that FreeRDP correctly makes use of them.

祝你好运，

- Marc-Andre

- Marc-Andre

推荐答案

嗨Marc-Andre，谢谢你的问题。协议文档小组的成员将很快回复您。

Hi Marc-Andre, thank you for your question. A member of the protocol documentation team will respond to you soon.

这篇关于使用TLS警报的[MS-CSSP]身份验证失败通知的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！