Forum Discussion

Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
May 30, 2024
Solved

EC certificate breaks remote desktop

Today I ran into a problem while trying to access a remote desktop via an APM webtop. APM will simply not respond when clicking on the remote desktop link. It turned out it stopped working after updating the certificate from RSA to EC. It seems RDP stops working when using an EC certificate. Below are some messages from /var/log/apm:


May 30 13:00:25 bigip debug tmm[11236]: 019cffff:7: /Common/ap_webtop_ipv6test:Common:00000000: RD: [C] 192.168.178.13.56758 i 10.255.255.1.443: Received OOB request: Sign data with clientSSL RSA key
May 30 13:00:25 bigip debug tmm[11236]: 019cffff:7: /Common/ap_webtop_ipv6test:Common:00000000: RD: [C] 192.168.178.13.56758 i 10.255.255.1.443: Could not request crypto: ERR_NOT_FOUND

After changing the certificate and key from EC to RSA the remote desktop links in the webtop started working again. The debug log isn't showing the 'Could not request crypto: ERR_NOT_FOUND' message anymore, instead it's sending OOB reply. See logging below.

May 30 14:37:35 bigip debug tmm3[11236]: 019cffff:7: /Common/ap_webtop_ipv6test:Common:00000000: RD: [C] 192.168.178.13.64486 i 10.255.255.1.443: Received OOB request: Sign data with clientSSL RSA key
May 30 14:37:35 bigip debug tmm3[11236]: 019cffff:7: /Common/ap_webtop_ipv6test:Common:00000000: RD: [C] 192.168.178.13.64486 i 10.255.255.1.443: Sending OOB reply

Hope this info will help anyone who runs into the same issue.

 

application delivery
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    May 30, 2024

    BTW, this BIG-IP runs version BIG-IP 16.1.4.2 Build 0.0.3 Point Release 2

2 Replies

Sort By
  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    May 30, 2024

    Thanks for the clear explainer and data.

    This RDP mechanism has to create a cryptographic signature based on the vip's private RSA key and place it into the .RDP file that is transmitted to the client immediately after a user clicks that link. It doesn't support any other types of private keys, and will produce the error you've encountered if the SSL profile on the vip does not have an RSA key.

    At a quick glance, BIG-IP itself seems to generically support these types of private keys: RSA, SM2, ECDSA, and DSA.

     

    This stack overflow thread seems to indicate that EC certs must use ECDSA keys and are disallowed from using RSA keys:

    https://stackoverflow.com/questions/35155239/can-ecdsa-certificates-have-rsa-signature

     

    So I guess the answer is that this RDP mechanism in BIG-IP does not yet support ECDSA certificates. Please feel free to open a support ticket to request this support, and mention this DC thread so the support person has the background information.