diff options
| author | runge <runge@karlrunge.com> | 2010-03-21 00:05:51 -0400 |
|---|---|---|
| committer | runge <runge@karlrunge.com> | 2010-03-21 00:05:51 -0400 |
| commit | 97540de56ca8a975ed31d86879d0e5c4cf169173 (patch) | |
| tree | 6c8c0a28c3559a15c6a76bed92dc2a4c62630914 /classes/ssl/README | |
| parent | edb79ae2b1d39bc12d489bcded74ab966e019994 (diff) | |
| download | libtdevnc-97540de56ca8a975ed31d86879d0e5c4cf169173.tar.gz libtdevnc-97540de56ca8a975ed31d86879d0e5c4cf169173.zip | |
classes/ssl: Many improvements to Java SSL applet, onetimekey
serverCert param, debugging printout, user dialogs, catch
socket exceptions, autodetect x11vnc for GET=1.
x11vnc: misc/scripts: desktop.cgi, inet6to4, panner.pl.
X11VNC_HTTPS_DOWNLOAD_WAIT_TIME, -unixpw %xxx documented, and
can run user cmd in UNIXPW_CMD. FD_XDMCP_IF for create script,
autodetect dm on udp6 only. Queries: pointer_x, pointer_y,
pointer_same, pointer_root. Switch on -xkd if keysyms per key >
4 in all cases. daemon mode improvements for connect_switch,
inet6to4, ultravnc_repeater.pl. Dynamic change of -clip do
not create new fb if WxH is unchanged.
Diffstat (limited to 'classes/ssl/README')
| -rw-r--r-- | classes/ssl/README | 67 |
1 files changed, 50 insertions, 17 deletions
diff --git a/classes/ssl/README b/classes/ssl/README index 0767ce9..b244cf1 100644 --- a/classes/ssl/README +++ b/classes/ssl/README @@ -137,6 +137,15 @@ Both TightVNC and UltraVNC Java viewers: number, default: 50 Milliseconds delay + PASSWORD + string, default: none + VNC session password in plain text. + + ENCPASSWORD + string, default: none + VNC session password in encrypted in DES with KNOWN FIXED + key. It is a hex string. This is like the ~/.vnc/passwd format. + The following are added by x11vnc and/or ssvnc project @@ -173,16 +182,47 @@ Both TightVNC and UltraVNC Java viewers: oneTimeKey string, default: none - set a special hex "key" to correspond to an SSL X.509 cert. - See the 'onetimekey' helper script. Can also be PROMPT to - prompt the user to paste the hex key string in. + set a special hex "key" to correspond to an SSL X.509 cert+key. + See the 'onetimekey' helper script. Can also be PROMPT to prompt + the user to paste the hex key string in. + + This provides a Client-Side cert+key that the client will use to + authenticate itself by SSL To the VNC Server. + + This is to try to work around the problem that the Java applet + cannot keep an SSL keystore on disk, etc. E.g. if they log + into an HTTPS website via password they are authenticated and + encrypted, then the website can safely put oneTimeKey=... on the + URL. The Vncviewer authenticates the VNC server with this key. + + Note that there is currently a problem in that if x11vnc requires + Client Certificates the user cannot download the index.vnc HTML + and VncViewer.jar from the same x11vnc. Those need to come from + a different x11vnc or from a web server. + + Note that the HTTPS website can also put the VNC Password + (e.g. a temporary/one-time one) in the parameter PASSWORD. + The Java Applet will automatically supply this VNC password + instead of prompting. + + serverCert + string, default: none + set a special hex "cert" to correspond to an SSL X.509 cert + See the 'onetimekey -certonly' helper script. - This is to try to work around the problem that the Java - applet cannot keep an SSL keystore on disk, etc. - E.g. if they log into an HTTPS website via password they - are authenticated and encrypted, then the website can - safely put oneTimeKey=... on the URL. The Vncviewer - authenticates the VNC server with this key. + This provides a Server-Side cert that the client will authenticate + the VNC Server against by SSL. + + This is to try to work around the problem that the Java applet + cannot keep an SSL keystore on disk, etc. E.g. if they log + into an HTTPS website via password they are authenticated and + encrypted, then the website can safely put serverCert=... on the + URL. + + Of course the VNC Server is sending this string to the Java + Applet, so this is only reasonable security if the VNC Viewer + already trusts the HTTPS retrieval of the URL + serverCert param + that it gets. This should be done over HTTPS not HTTP. proxyHost string, default: none @@ -238,15 +278,8 @@ TightVNC Java viewer only: UltraVNC Java viewer only: - PASSWORD - string, default: none - VNC session password in plain text. + None. - ENCPASSWORD - string, default: none - VNC session password in encrypted in DES with KNOWN FIXED - key. It is a hex string. This is like the ~/.vnc/passwd format. - The following are added by x11vnc and/or ssvnc project ftpDropDown |