Added command line option /cert-tofu

client/common/cmdline.c

@@ -139,6 +139,7 @@ static COMMAND_LINE_ARGUMENT_A args[] =
 	{ "tls-ciphers", COMMAND_LINE_VALUE_REQUIRED, "<netmon|ma|ciphers>", NULL, NULL, -1, NULL, "Allowed TLS ciphers" },
 	{ "cert-name", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL, "certificate name" },
 	{ "cert-ignore", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "ignore certificate" },
+	{ "cert-tofu", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Automatically accept certificate on first connect" },
 	{ "pcb", COMMAND_LINE_VALUE_REQUIRED, "<blob>", NULL, NULL, -1, NULL, "Preconnection Blob" },
 	{ "pcid", COMMAND_LINE_VALUE_REQUIRED, "<id>", NULL, NULL, -1, NULL, "Preconnection Id" },
 	{ "spn-class", COMMAND_LINE_VALUE_REQUIRED, "<service class>", NULL, NULL, -1, NULL, "SPN authentication service class" },
@@ -2220,6 +2221,10 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
 		{
 			settings->IgnoreCertificate = TRUE;
 		}
+		CommandLineSwitchCase(arg, "cert-tofu")
+		{
+			settings->AutoAcceptCertificate = TRUE;
+		}
 		CommandLineSwitchCase(arg, "authentication")
 		{
 			settings->Authentication = arg->Value ? TRUE : FALSE;

include/freerdp/settings.h

@@ -635,6 +635,7 @@ typedef struct _RDPDR_PARALLEL RDPDR_PARALLEL;
 #define FreeRDP_CertificateContent 1416
 #define FreeRDP_PrivateKeyContent	1417
 #define FreeRDP_RdpKeyContent		1418
+#define FreeRDP_AutoAcceptCertificate		1419
 
 #define FreeRDP_Workarea					1536
 #define FreeRDP_Fullscreen					1537
@@ -1056,7 +1057,8 @@ struct rdp_settings
 	ALIGN64 char *CertificateContent; /* 1416 */
 	ALIGN64 char *PrivateKeyContent; /* 1417 */
 	ALIGN64 char* RdpKeyContent; /* 1418 */
-	UINT64 padding1472[1472 - 1419]; /* 1419 */
+	ALIGN64 BOOL AutoAcceptCertificate; /* 1419 */
+	UINT64 padding1472[1472 - 1420]; /* 1420 */
 	UINT64 padding1536[1536 - 1472]; /* 1472 */
 
 	/**

libfreerdp/common/settings.c

@@ -912,6 +912,9 @@ BOOL freerdp_get_param_bool(rdpSettings* settings, int id)
 		case FreeRDP_IgnoreCertificate:
 			return settings->IgnoreCertificate;
 
+		case FreeRDP_AutoAcceptCertificate:
+			return settings->AutoAcceptCertificate;
+
 		case FreeRDP_ExternalCertificateManagement:
 			return settings->ExternalCertificateManagement;
 
@@ -1363,6 +1366,10 @@ int freerdp_set_param_bool(rdpSettings* settings, int id, BOOL param)
 			settings->IgnoreCertificate = param;
 			break;
 
+		case FreeRDP_AutoAcceptCertificate:
+			settings->AutoAcceptCertificate = param;
+			break;
+
 		case FreeRDP_ExternalCertificateManagement:
 			settings->ExternalCertificateManagement = param;
 			break;

libfreerdp/crypto/tls.c

@@ -1273,9 +1273,19 @@ int tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname, int por
 							common_name, alt_names,
 							alt_names_count);
 
-			if (instance->VerifyCertificate)
+			/* Automatically accept certificate on first use */
-				accept_certificate = instance->VerifyCertificate(instance, common_name,
+			if (tls->settings->AutoAcceptCertificate)
-																				 subject, issuer, fingerprint, !hostname_match);
+			{
+				WLog_INFO(TAG, "No certificate stored, automatically accepting.");
+				accept_certificate = 1;
+			}
+			else if (instance->VerifyCertificate)
+			{
+				accept_certificate = instance->VerifyCertificate(
+							     instance, common_name,
+							     subject, issuer,
+							     fingerprint, !hostname_match);
+			}
 
 			switch(accept_certificate)
 			{