diff options
Diffstat (limited to 'webclients/ssl/README')
-rw-r--r-- | webclients/ssl/README | 338 |
1 files changed, 338 insertions, 0 deletions
diff --git a/webclients/ssl/README b/webclients/ssl/README new file mode 100644 index 0000000..b244cf1 --- /dev/null +++ b/webclients/ssl/README @@ -0,0 +1,338 @@ +This directory contains a patched Java applet VNC viewer that is SSL +enabled. + +The patches in the *.patch files are relative to the source tarball: + + tightvnc-1.3dev7_javasrc.tar.gz + +currently (4/06) available here: + + http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download + +It also includes some simple patches to: + + - fix richcursor colors + + - make the Java Applet cursor (not the cursor drawn to the canvas + framebuffer) invisible when it is inside the canvas. + + - allow Tab (and some other) keystrokes to be sent to the vnc + server instead of doing widget traversal. + + +This SSL applet should work with any VNC viewer that has an SSL tunnel in +front of it. It has been tested on x11vnc and using the stunnel tunnel +to other VNC servers. + +By default this Vnc Viewer will only do SSL. To do unencrypted traffic +see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc). + +Proxies: they are a general problem with java socket applets (a socket +connection does not go through the proxy). See the info in the proxy.vnc +file for a workaround. It uses SignedVncViewer.jar which is simply +a signed version of VncViewer.jar. The basic idea is the user clicks +"Yes" to trust the applet and then it can connect directly to the proxy +and issue a CONNECT request. + +This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun +Java plugin. It may not work on older releases or different vendor VM's. +Send full Java Console output for failures. + +--------------------------------------------------------------- +Tips: + +When doing single-port proxy connections (e.g. both VNC and HTTPS +thru port 5900) it helps to move through the 'do you trust this site' +dialogs quickly. x11vnc has to wait to see if the traffic is VNC or +HTTP and this can cause timeouts if you don't move thru them quickly. + +You may have to restart your browser completely if it gets into a +weird state. For one case we saw the JVM requesting VncViewer.class +even when no such file exists. + + +--------------------------------------------------------------- +Extras: + +ss_vncviewer (not Java): + + Wrapper script for native VNC viewer to connect to x11vnc in + SSL mode. Script launches stunnel(8) and then connects to it + via localhost which in turn is then redirected to x11vnc via an + SSL tunnel. stunnel(8) must be installed and available in PATH. + + +Running Java SSL VncViewer from the command line: + + From this directory: + + java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport> + + substitute <thehost> and <theport> with the actual values. + You can add any other parameters, e.g.: ignoreProxy yes + +--------------------------------------------------------------- +UltraVNC: + +The UltraVNC java viewer has also been patched to support SSL. Various +bugs in the UltraVNC java viewer were also fixed. This viewer can be +useful because is support UltraVNC filetransfer, and so it works on +Unix, etc. + +UltraViewerSSL.jar +SignedUltraViewerSSL.jar +ultra.vnc +ultraproxy.vnc +ultravnc-102-JavaViewer-ssl-etc.patch + +--------------------------------------------------------------- +Applet Parameters: + +Some additional applet parameters can be set via the URL, e.g. + + http://host:5800/?param=value + http://host:5800/ultra.vnc?param=value + https://host:5900/ultra.vnc?param=value + +etc. If running java from command line as show above, it comes +in as java ... VncViewer param value ... + +There is a limitation with libvncserver that param and value can +only be alphanumeric, underscore, "+" (for space), or "." + +We have added some applet parameters to the stock VNC java +viewers. Here are the applet parameters: + +Both TightVNC and UltraVNC Java viewers: + + HOST + string, default: none. + The Hostname to connect to. + + PORT + number, default: 0 + The VNC server port to connect to. + + Open New Window + yes/no, default: no + Run applet in separate frame. + + Show Controls + yes/no, default: yes + Show Controls button panel. + + Show Offline Desktop + yes/no, default: no + Do we continue showing desktop on remote disconnect? + + Defer screen updates + number, default: 20 + Milliseconds delay + + Defer cursor updates + number, default: 10 + Milliseconds delay + + Defer update requests + number, default: 50 + Milliseconds delay + + PASSWORD + string, default: none + VNC session password in plain text. + + ENCPASSWORD + string, default: none + VNC session password in encrypted in DES with KNOWN FIXED + key. It is a hex string. This is like the ~/.vnc/passwd format. + + + The following are added by x11vnc and/or ssvnc project + + VNCSERVERPORT + number, default: 0 + Like PORT, but if there is a firewall this is the Actual VNC + server port. PORT might be a redir port on the firewall. + + DisableSSL + yes/no, default: no + Do unencrypted connection, no SSL. + + httpsPort + number, default: none + When checking for proxy, use this at the url port number. + + CONNECT + string, default: none + Sets to host:port for the CONNECT line to a Web proxy. + The Web proxy should connect us to it. + + GET + yes/no, default: no + Set to do a special HTTP GET (/request.https.vnc.connection) + to the vnc server that will cause it to switch to VNC instead. + This is to speedup/make more robust, the single port HTTPS and VNC + mode of x11vnc (e.g. both services thru port 5900, etc) + + urlPrefix + string, default: none + set to a string that will be prefixed to all URL's when contacting + the VNC server. Idea is a special proxy will use this to indicate + internal hostname, etc. + + oneTimeKey + string, default: none + set a special hex "key" to correspond to an SSL X.509 cert+key. + See the 'onetimekey' helper script. Can also be PROMPT to prompt + the user to paste the hex key string in. + + This provides a Client-Side cert+key that the client will use to + authenticate itself by SSL To the VNC Server. + + This is to try to work around the problem that the Java applet + cannot keep an SSL keystore on disk, etc. E.g. if they log + into an HTTPS website via password they are authenticated and + encrypted, then the website can safely put oneTimeKey=... on the + URL. The Vncviewer authenticates the VNC server with this key. + + Note that there is currently a problem in that if x11vnc requires + Client Certificates the user cannot download the index.vnc HTML + and VncViewer.jar from the same x11vnc. Those need to come from + a different x11vnc or from a web server. + + Note that the HTTPS website can also put the VNC Password + (e.g. a temporary/one-time one) in the parameter PASSWORD. + The Java Applet will automatically supply this VNC password + instead of prompting. + + serverCert + string, default: none + set a special hex "cert" to correspond to an SSL X.509 cert + See the 'onetimekey -certonly' helper script. + + This provides a Server-Side cert that the client will authenticate + the VNC Server against by SSL. + + This is to try to work around the problem that the Java applet + cannot keep an SSL keystore on disk, etc. E.g. if they log + into an HTTPS website via password they are authenticated and + encrypted, then the website can safely put serverCert=... on the + URL. + + Of course the VNC Server is sending this string to the Java + Applet, so this is only reasonable security if the VNC Viewer + already trusts the HTTPS retrieval of the URL + serverCert param + that it gets. This should be done over HTTPS not HTTP. + + proxyHost + string, default: none + Do not try to guess the proxy's hostname, use the value in + proxyHost. Does not imply forceProxy (below.) + + proxyPort + string, default: none + Do not try to guess the proxy's port number, use the value in + proxyPort. Does not imply forceProxy (below.) + + forceProxy + yes/no, default: no + Assume there is a proxy and force its use. + + If a string other than "yes" or "no" is given, it implies "yes" + and uses the string for proxyHost and proxyPort (see above). + In this case the string must be of the form "hostname+port". + Note that it is "+" and not ":" before the port number. + + ignoreProxy + yes/no, default: no + Don't check for a proxy, assume there is none. + + trustAllVncCerts + yes/no, default: no + Automatically trust any cert received from the VNC server + (obviously this could be dangerous and lead to man in the + middle attack). Do not ask the user to verify any of these + certs from the VNC server. + + trustUrlVncCert + yes/no, default: no + Automatically trust any cert that the web browsers has accepted. + E.g. the user said "Yes" or "Continue" to a web browser dialog + regarding a certificate. If we get the same cert (chain) from + the VNC server we trust it without prompting the user. + + debugCerts + yes/no, default: no + Print out every cert in the Server, TrustUrl, TrustAll chains. + + +TightVNC Java viewer only: + + Offer Relogin + yes/no, default: yes + "Offer Relogin" set to "No" disables "Login again" + + SocketFactory + string, default: none + set Java Socket class factory. + +UltraVNC Java viewer only: + + None. + + The following are added by x11vnc and/or ssvnc project + + ftpDropDown + string, default: none + Sets the file transfer "drives" dropdown to the "." separated + list. Use "+" for space. The default is + + My+Documents.Desktop.Home + + for 3 entries in the dropdown in addition to the "drives" + (e.g. C:\) These items should be expanded properly by the VNC + Server. x11vnc will prepend $HOME to them, which is normally + what one wants. To include a "/" use "_2F_". Another example: + + Home.Desktop.bin_2F_linux + + If an item is prefixed with "TOP_" then the item is inserted at + the top of the drop down rather than being appended to the end. + E.g. to try to initially load the user homedir instead of /: + + TOP_Home.My+Documents.Desktop + + If ftpDropDown is set to the empty string, "", then no special + locations, [Desktop] etc., are placed in the drop down. Only the + ultravnc "drives" will appear. + + ftpOnly + yes/no, default: no + The VNC viewer only shows the filetransfer panel, no desktop + is displayed. + + graftFtp + yes/no, default: no + As ftpOnly, the VNC viewer only shows the filetransfer panel, + no desktop is displayed, however it is "grafted" onto an existing + SSVNC unix vncviewer. The special SSVNC vncviewer merges the two + channels. + + dsmActive + yes/no, default: no + Special usage mode with the SSVNC unix vncviewer. The UltraVNC + DSM encryption is active. Foolishly, UltraVNC DSM encryption + *MODIFIES* the VNC protocol when active (it is not a pure tunnel). + This option indicates to modify the VNC protocol to make this work. + Usually only used with graftFtp and SSVNC unix vncviewer. + + delayAuthPanel + yes/no, default: no + This is another special usage mode with the SSVNC unix vncviewer. + A login panel is delayed (not shown at startup.) Could be useful + for non SSVNC usage too. + + ignoreMSLogonCheck + yes/no, default: no + Similar to delayAuthPanel, do not put up a popup asking for + Windows username, etc. |