libxrdp: added an option to enforce security layer in xrdp.ini

common/xrdp_client_info.h

@@ -106,7 +106,7 @@ struct xrdp_client_info
   char client_addr[256];
   char client_port[256];
 
-  int nego_sec_layer; /* 0, 1, 2 = RDP security layer, TLS , Negotiate */
+  int security_layer; /* 0 = rdp, 1 = tls , 2 = hybrid */
   int multimon; /* 0 = deny , 1 = allow */
   int monitorCount; /* number of monitors detected (max = 16) */
   struct monitor_info minfo[16]; /* client monitor data */

libxrdp/xrdp_rdp.c

@@ -156,6 +156,28 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
                 client_info->use_fast_path = 0;
             }
         }
+        else if (g_strcasecmp(item, "security_layer") == 0)
+        {
+            if (g_strcasecmp(value, "rdp") == 0)
+            {
+                client_info->security_layer = 1;
+            }
+            else if (g_strcasecmp(value, "tls") == 0)
+            {
+                client_info->security_layer = 2;
+            }
+            else if (g_strcasecmp(value, "hybrid") == 0)
+            {
+                client_info->security_layer = 3;
+            }
+            else
+            {
+                log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured security layer is"
+                          "undefined, xrdp will negotiate client compatible");
+                client_info->security_layer = -1;
+            }
+        }
+
     }
 
     list_delete(items);

xrdp/xrdp.ini

@@ -6,6 +6,7 @@ bitmap_cache=yes
 bitmap_compression=yes
 port=3389
 crypt_level=high
+security_layer=rdp
 allow_channels=true
 max_bpp=32
 fork=yes
@@ -46,7 +47,6 @@ bulk_compression=yes
 # You can set the PAM error text in a gateway setup (MAX 256 chars)
 #pamerrortxt=change your password according to policy at http://url
 new_cursors=yes
-#nego_sec_layer=0
 allow_multimon=true
 
 # fastpath - can be set to input / output / both / none