ThinOS 8.6 and SHA384?

Hello All

Like some of you I’ve recently hit the issue that 9.1 does not offer passthrough of smartcard (or much else) to WVD/RDP, which really mucks up my plan of smartcard login to a RDS gateway/farm. The only way forward at the moment would be to revert to (gulp) 8.6.x which does support smartcard passthrough to RDS/WVD. Simple, right?

Wrong.

The passthrough was confirmed with direct RDP sessions etc, but the client (5070 running 8.6.807) would not connect to the gateway at all – it seemed that the TLS setup was stalling completely. After a lot of head scratching I think I have worked out the issue. The certificates I was using for the RDS were RSA with the SHA384 signature hash algorithm.

This was confirmed, first by using a self signed RSA with SHA256, then an identical CA issued cert with SHA384 swapped for 256. I’m fairly sure SHA384 is a part of the TLS 1.2 spec, so what is wrong with ThinOS 8.6? (note, the same SHA384 certs work fine with the 9.1 clients)

As a further annoyance, if you get past this gateway connection issue, you also hit a SHA384 hash issue with the smartcards as well, if they hold SHA384 user certs. It does not mention a TLS error and fails in a generic ‘logon failed’ kind of way. If you login with username and password, the smartcard works normally inside the RDS session itself.

I think (and please correct me if I’m wrong) that ThinOS 8.6.x has a limitation (or bug?) in its TLS stack that prevents local handling of SHA384 certs. This would explain the TS gateway session setup failure and the inability to perform thin client controlled logon using smartcards that require processing of SHA384 hashes.

Anyone else seen this? I cannot find any documentation of this and have reported to Dell. Really, really annoying double fail here – ideally they would sort out 9.1 passthrough..

-Rob-