Skip to content

[client] Force TLS1.2 for RDP with Win11/Server2025 for CredSSP compatibility #4617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 13, 2025
Merged

[client] Force TLS1.2 for RDP with Win11/Server2025 for CredSSP compatibility #4617

merged 3 commits into from
Oct 13, 2025

Conversation

@lixmal
Copy link
Collaborator

@lixmal lixmal commented Oct 10, 2025
edited
Loading

Describe your changes

  • Use TLS1.2 for CredSSP
  • Return proper rdcleanpath errors
  • Add 15 sec dial timeout

Issue ticket number and link

Stack

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

  • I added/updated documentation for this change
  • Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

netbirdio/docs#447

Copilot AI review requested due to automatic review settings October 10, 2025 11:24
Copilot AI reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds TLS version selection logic for RDP connections to ensure compatibility with CredSSP (Network Level Authentication) on Windows 11 and Server 2025. The change detects whether NLA/CredSSP is required by analyzing X.224 protocol responses and forces TLS 1.2 when CredSSP is detected, as CredSSP is incompatible with TLS 1.3.

  • Added X.224 response parsing to detect CredSSP requirements
  • Modified TLS configuration to force TLS 1.2 when CredSSP is detected
  • Removed unused plain connection setup code

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
client/wasm/internal/rdp/rdcleanpath_handlers.go Added CredSSP detection logic and removed unused plain connection method
client/wasm/internal/rdp/cert_validation.go Modified TLS configuration to conditionally use TLS 1.2 for CredSSP compatibility

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@lixmal lixmal requested a review from Copilot October 10, 2025 11:42
Copilot AI reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 10, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@lixmal lixmal merged commit 000e99e into main Oct 13, 2025
36 of 37 checks passed
@lixmal lixmal deleted the fix-credssp-tls branch October 13, 2025 15:50
hurricanehrndz added a commit to hurricanehrndz/netbird that referenced this pull request Oct 24, 2025
@hurricanehrndz
Merge remote-tracking branch 'upstream/main' into fix/darwin-dns
97040a4 
* upstream/main: (135 commits)
  [signal] Fix HTTP/WebSocket proxy not using custom certificates (netbirdio#4644)
  [client] Fix active profile name in debug bundle (netbirdio#4689)
  [management] Add peer disapproval reason (netbirdio#4468)
  [misc] Update tag name extraction in install.sh (netbirdio#4677)
  [client] Clean up match domain reg entries between config changes (netbirdio#4676)
  [client] Delete TURNConfig section from script (netbirdio#4639)
  [client] Security upgrade alpine from 3.22.0 to 3.22.2 netbirdio#4618
  [client] Fix status showing P2P without connection (netbirdio#4661)
  [client] Support BROWSER env for login (netbirdio#4654)
  [client] Remove rule squashing (netbirdio#4653)
  Handle the case when the service has already been down and the status recorder is not available (netbirdio#4652)
  [client] Set default wg port for new profiles (netbirdio#4651)
  [client] Add bind activity listener to bypass udp sockets (netbirdio#4646)
  [client] Fix missing flag values in profiles (netbirdio#4650)
  [management] feat: Basic PocketID IDP integration (netbirdio#4529)
  [client] Force TLS1.2 for RDP with Win11/Server2025 for CredSSP compatibility (netbirdio#4617)
  [misc] Add service definition for netbird-signal (netbirdio#4620)
  [management] pass temporary flag to validator (netbirdio#4599)
  [client] Explicitly disable DNSOverTLS for systemd-resolved (netbirdio#4579)
  [management] sync all other peers on peer add/remove (netbirdio#4614)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mlsmaycon mlsmaycon mlsmaycon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lixmal @mlsmaycon