Certificate Validation and Storage

[awakecoding]

Implement certificate validation and storage, such that when the user accepts a certificate with the ui_check_certificate callback it does not mark it is checked as valid on the next connection.

Change current behavior in xfreerdp where an invalid certificate only shows a warning, instead of requesting explicit acceptation from the user on the command-line.

Implement similar certificate checking mechanism for older RDP certificates (non-TLS), where the certificate is asked for acceptation and then stored in a certificate store if accepted. On the next connection, the certificate should be validated if it is present in the certificate store.

[otavio]

Keep in mind that it needs to have a pluggable interface so UIs can provide alternative dialogs for it.

[otavio]

You seem to be working on that. Is it done?

[awakecoding]

@otavio: I didn't have the time yet to really get into it, I barely added a prompt in xfreerdp, which I ended up disabling because there is no certificate store yet.

I think I won't have enough time to work on this in the near future. The solution is to implement a complete certificate store, where certificates are stored along with the appropriate behavior. For instance, the certificate prompt would ask the user if he accepts to denies the certificate, and if this acceptation should be made permanent or only remain temporary. Whenever the behavior is permanently stored, we should save the certificate in a certificate store, along with the chosen behavior, such that next time the certificate is seen, it is checked against its stored version, and avoids asking the user again.

I guess that mstsc.exe stores the certificates somewhere in the registry. I am wondering how we should approach this problem, should be implement this using files, or using an sqlite database? Files might be an approach closer to ssh, but there is some additional work that needs to be done for parsing and storing the information. With sqlite, it'll all be contained within a single file, and we could easily query on it (select * from certificates where fingerprint == '..').

I am wondering if ubuntu provides some sort of general certificate store that we could re-use. I do not know much, however, about the format of certificates using with RDP encryption. For TLS, it's well known.

Got any ideas? There's definitely some good amount of work to be done in order to complete this task.

[otavio]

@awakecoding I think we ought to avoid using database when possible. We already use .freerdp on xpunlimited extension and seems like the simplest and easy way to go.

The parsing ought to be easy to right and we avoid the dependency against sqlite or whatever.