{
settings->AutoAcceptCertificate = enable;
}
+ CommandLineSwitchCase(arg, "cert-deny")
+ {
+ settings->AutoDenyCertificate = enable;
+ }
CommandLineSwitchCase(arg, "authentication")
{
settings->Authentication = enable;
{ "bitmap-cache", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "bitmap cache" },
{ "bpp", COMMAND_LINE_VALUE_REQUIRED, "<depth>", "16", NULL, -1, NULL, "Session bpp (color depth)" },
{ "buildconfig", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_BUILDCONFIG, NULL, NULL, NULL, -1, NULL, "Print the build configuration" },
+ { "cert-deny", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Automatically abort connection for any certificate that can not be validated." },
{ "cert-ignore", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Ignore certificate" },
{ "cert-name", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL, "Certificate name" },
{ "cert-tofu", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Automatically accept certificate on first connect" },
#define FreeRDP_PrivateKeyContent (1417)
#define FreeRDP_RdpKeyContent (1418)
#define FreeRDP_AutoAcceptCertificate (1419)
+#define FreeRDP_AutoDenyCertificate (1420)
#define FreeRDP_Workarea (1536)
#define FreeRDP_Fullscreen (1537)
#define FreeRDP_PercentScreen (1538)
ALIGN64 char* PrivateKeyContent; /* 1417 */
ALIGN64 char* RdpKeyContent; /* 1418 */
ALIGN64 BOOL AutoAcceptCertificate; /* 1419 */
- UINT64 padding1472[1472 - 1420]; /* 1420 */
+ ALIGN64 BOOL AutoDenyCertificate; /* 1420 */
+ UINT64 padding1472[1472 - 1421]; /* 1421 */
UINT64 padding1536[1536 - 1472]; /* 1472 */
/**
case FreeRDP_IgnoreCertificate:
return settings->IgnoreCertificate;
+ case FreeRDP_AutoDenyCertificate:
+ return settings->AutoDenyCertificate;
+
case FreeRDP_AutoAcceptCertificate:
return settings->AutoAcceptCertificate;
settings->IgnoreCertificate = param;
break;
+ case FreeRDP_AutoDenyCertificate:
+ settings->AutoDenyCertificate = param;
+ break;
+
case FreeRDP_AutoAcceptCertificate:
settings->AutoAcceptCertificate = param;
break;
WLog_INFO(TAG, "No certificate stored, automatically accepting.");
accept_certificate = 1;
}
+ else if (tls->settings->AutoDenyCertificate)
+ {
+ WLog_INFO(TAG, "No certificate stored, automatically denying.");
+ accept_certificate = 0;
+ }
else if (instance->VerifyX509Certificate)
{
int rc = instance->VerifyX509Certificate(instance, pemCert, length, hostname,
WLog_WARN(TAG, "Failed to get certificate entry for %s:%d",
hostname, port);
- if (instance->VerifyX509Certificate)
+ if (tls->settings->AutoDenyCertificate)
+ {
+ WLog_INFO(TAG, "No certificate stored, automatically denying.");
+ accept_certificate = 0;
+ }
+ else if (instance->VerifyX509Certificate)
{
const int rc = instance->VerifyX509Certificate(instance, pemCert, length, hostname,
port, flags | VERIFY_CERT_FLAG_CHANGED);