summaryrefslogtreecommitdiffstats
path: root/webclients/ssl/README
diff options
context:
space:
mode:
Diffstat (limited to 'webclients/ssl/README')
-rw-r--r--webclients/ssl/README338
1 files changed, 338 insertions, 0 deletions
diff --git a/webclients/ssl/README b/webclients/ssl/README
new file mode 100644
index 0000000..b244cf1
--- /dev/null
+++ b/webclients/ssl/README
@@ -0,0 +1,338 @@
+This directory contains a patched Java applet VNC viewer that is SSL
+enabled.
+
+The patches in the *.patch files are relative to the source tarball:
+
+ tightvnc-1.3dev7_javasrc.tar.gz
+
+currently (4/06) available here:
+
+ http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
+
+It also includes some simple patches to:
+
+ - fix richcursor colors
+
+ - make the Java Applet cursor (not the cursor drawn to the canvas
+ framebuffer) invisible when it is inside the canvas.
+
+ - allow Tab (and some other) keystrokes to be sent to the vnc
+ server instead of doing widget traversal.
+
+
+This SSL applet should work with any VNC viewer that has an SSL tunnel in
+front of it. It has been tested on x11vnc and using the stunnel tunnel
+to other VNC servers.
+
+By default this Vnc Viewer will only do SSL. To do unencrypted traffic
+see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
+
+Proxies: they are a general problem with java socket applets (a socket
+connection does not go through the proxy). See the info in the proxy.vnc
+file for a workaround. It uses SignedVncViewer.jar which is simply
+a signed version of VncViewer.jar. The basic idea is the user clicks
+"Yes" to trust the applet and then it can connect directly to the proxy
+and issue a CONNECT request.
+
+This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
+Java plugin. It may not work on older releases or different vendor VM's.
+Send full Java Console output for failures.
+
+---------------------------------------------------------------
+Tips:
+
+When doing single-port proxy connections (e.g. both VNC and HTTPS
+thru port 5900) it helps to move through the 'do you trust this site'
+dialogs quickly. x11vnc has to wait to see if the traffic is VNC or
+HTTP and this can cause timeouts if you don't move thru them quickly.
+
+You may have to restart your browser completely if it gets into a
+weird state. For one case we saw the JVM requesting VncViewer.class
+even when no such file exists.
+
+
+---------------------------------------------------------------
+Extras:
+
+ss_vncviewer (not Java):
+
+ Wrapper script for native VNC viewer to connect to x11vnc in
+ SSL mode. Script launches stunnel(8) and then connects to it
+ via localhost which in turn is then redirected to x11vnc via an
+ SSL tunnel. stunnel(8) must be installed and available in PATH.
+
+
+Running Java SSL VncViewer from the command line:
+
+ From this directory:
+
+ java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
+
+ substitute <thehost> and <theport> with the actual values.
+ You can add any other parameters, e.g.: ignoreProxy yes
+
+---------------------------------------------------------------
+UltraVNC:
+
+The UltraVNC java viewer has also been patched to support SSL. Various
+bugs in the UltraVNC java viewer were also fixed. This viewer can be
+useful because is support UltraVNC filetransfer, and so it works on
+Unix, etc.
+
+UltraViewerSSL.jar
+SignedUltraViewerSSL.jar
+ultra.vnc
+ultraproxy.vnc
+ultravnc-102-JavaViewer-ssl-etc.patch
+
+---------------------------------------------------------------
+Applet Parameters:
+
+Some additional applet parameters can be set via the URL, e.g.
+
+ http://host:5800/?param=value
+ http://host:5800/ultra.vnc?param=value
+ https://host:5900/ultra.vnc?param=value
+
+etc. If running java from command line as show above, it comes
+in as java ... VncViewer param value ...
+
+There is a limitation with libvncserver that param and value can
+only be alphanumeric, underscore, "+" (for space), or "."
+
+We have added some applet parameters to the stock VNC java
+viewers. Here are the applet parameters:
+
+Both TightVNC and UltraVNC Java viewers:
+
+ HOST
+ string, default: none.
+ The Hostname to connect to.
+
+ PORT
+ number, default: 0
+ The VNC server port to connect to.
+
+ Open New Window
+ yes/no, default: no
+ Run applet in separate frame.
+
+ Show Controls
+ yes/no, default: yes
+ Show Controls button panel.
+
+ Show Offline Desktop
+ yes/no, default: no
+ Do we continue showing desktop on remote disconnect?
+
+ Defer screen updates
+ number, default: 20
+ Milliseconds delay
+
+ Defer cursor updates
+ number, default: 10
+ Milliseconds delay
+
+ Defer update requests
+ number, default: 50
+ Milliseconds delay
+
+ PASSWORD
+ string, default: none
+ VNC session password in plain text.
+
+ ENCPASSWORD
+ string, default: none
+ VNC session password in encrypted in DES with KNOWN FIXED
+ key. It is a hex string. This is like the ~/.vnc/passwd format.
+
+
+ The following are added by x11vnc and/or ssvnc project
+
+ VNCSERVERPORT
+ number, default: 0
+ Like PORT, but if there is a firewall this is the Actual VNC
+ server port. PORT might be a redir port on the firewall.
+
+ DisableSSL
+ yes/no, default: no
+ Do unencrypted connection, no SSL.
+
+ httpsPort
+ number, default: none
+ When checking for proxy, use this at the url port number.
+
+ CONNECT
+ string, default: none
+ Sets to host:port for the CONNECT line to a Web proxy.
+ The Web proxy should connect us to it.
+
+ GET
+ yes/no, default: no
+ Set to do a special HTTP GET (/request.https.vnc.connection)
+ to the vnc server that will cause it to switch to VNC instead.
+ This is to speedup/make more robust, the single port HTTPS and VNC
+ mode of x11vnc (e.g. both services thru port 5900, etc)
+
+ urlPrefix
+ string, default: none
+ set to a string that will be prefixed to all URL's when contacting
+ the VNC server. Idea is a special proxy will use this to indicate
+ internal hostname, etc.
+
+ oneTimeKey
+ string, default: none
+ set a special hex "key" to correspond to an SSL X.509 cert+key.
+ See the 'onetimekey' helper script. Can also be PROMPT to prompt
+ the user to paste the hex key string in.
+
+ This provides a Client-Side cert+key that the client will use to
+ authenticate itself by SSL To the VNC Server.
+
+ This is to try to work around the problem that the Java applet
+ cannot keep an SSL keystore on disk, etc. E.g. if they log
+ into an HTTPS website via password they are authenticated and
+ encrypted, then the website can safely put oneTimeKey=... on the
+ URL. The Vncviewer authenticates the VNC server with this key.
+
+ Note that there is currently a problem in that if x11vnc requires
+ Client Certificates the user cannot download the index.vnc HTML
+ and VncViewer.jar from the same x11vnc. Those need to come from
+ a different x11vnc or from a web server.
+
+ Note that the HTTPS website can also put the VNC Password
+ (e.g. a temporary/one-time one) in the parameter PASSWORD.
+ The Java Applet will automatically supply this VNC password
+ instead of prompting.
+
+ serverCert
+ string, default: none
+ set a special hex "cert" to correspond to an SSL X.509 cert
+ See the 'onetimekey -certonly' helper script.
+
+ This provides a Server-Side cert that the client will authenticate
+ the VNC Server against by SSL.
+
+ This is to try to work around the problem that the Java applet
+ cannot keep an SSL keystore on disk, etc. E.g. if they log
+ into an HTTPS website via password they are authenticated and
+ encrypted, then the website can safely put serverCert=... on the
+ URL.
+
+ Of course the VNC Server is sending this string to the Java
+ Applet, so this is only reasonable security if the VNC Viewer
+ already trusts the HTTPS retrieval of the URL + serverCert param
+ that it gets. This should be done over HTTPS not HTTP.
+
+ proxyHost
+ string, default: none
+ Do not try to guess the proxy's hostname, use the value in
+ proxyHost. Does not imply forceProxy (below.)
+
+ proxyPort
+ string, default: none
+ Do not try to guess the proxy's port number, use the value in
+ proxyPort. Does not imply forceProxy (below.)
+
+ forceProxy
+ yes/no, default: no
+ Assume there is a proxy and force its use.
+
+ If a string other than "yes" or "no" is given, it implies "yes"
+ and uses the string for proxyHost and proxyPort (see above).
+ In this case the string must be of the form "hostname+port".
+ Note that it is "+" and not ":" before the port number.
+
+ ignoreProxy
+ yes/no, default: no
+ Don't check for a proxy, assume there is none.
+
+ trustAllVncCerts
+ yes/no, default: no
+ Automatically trust any cert received from the VNC server
+ (obviously this could be dangerous and lead to man in the
+ middle attack). Do not ask the user to verify any of these
+ certs from the VNC server.
+
+ trustUrlVncCert
+ yes/no, default: no
+ Automatically trust any cert that the web browsers has accepted.
+ E.g. the user said "Yes" or "Continue" to a web browser dialog
+ regarding a certificate. If we get the same cert (chain) from
+ the VNC server we trust it without prompting the user.
+
+ debugCerts
+ yes/no, default: no
+ Print out every cert in the Server, TrustUrl, TrustAll chains.
+
+
+TightVNC Java viewer only:
+
+ Offer Relogin
+ yes/no, default: yes
+ "Offer Relogin" set to "No" disables "Login again"
+
+ SocketFactory
+ string, default: none
+ set Java Socket class factory.
+
+UltraVNC Java viewer only:
+
+ None.
+
+ The following are added by x11vnc and/or ssvnc project
+
+ ftpDropDown
+ string, default: none
+ Sets the file transfer "drives" dropdown to the "." separated
+ list. Use "+" for space. The default is
+
+ My+Documents.Desktop.Home
+
+ for 3 entries in the dropdown in addition to the "drives"
+ (e.g. C:\) These items should be expanded properly by the VNC
+ Server. x11vnc will prepend $HOME to them, which is normally
+ what one wants. To include a "/" use "_2F_". Another example:
+
+ Home.Desktop.bin_2F_linux
+
+ If an item is prefixed with "TOP_" then the item is inserted at
+ the top of the drop down rather than being appended to the end.
+ E.g. to try to initially load the user homedir instead of /:
+
+ TOP_Home.My+Documents.Desktop
+
+ If ftpDropDown is set to the empty string, "", then no special
+ locations, [Desktop] etc., are placed in the drop down. Only the
+ ultravnc "drives" will appear.
+
+ ftpOnly
+ yes/no, default: no
+ The VNC viewer only shows the filetransfer panel, no desktop
+ is displayed.
+
+ graftFtp
+ yes/no, default: no
+ As ftpOnly, the VNC viewer only shows the filetransfer panel,
+ no desktop is displayed, however it is "grafted" onto an existing
+ SSVNC unix vncviewer. The special SSVNC vncviewer merges the two
+ channels.
+
+ dsmActive
+ yes/no, default: no
+ Special usage mode with the SSVNC unix vncviewer. The UltraVNC
+ DSM encryption is active. Foolishly, UltraVNC DSM encryption
+ *MODIFIES* the VNC protocol when active (it is not a pure tunnel).
+ This option indicates to modify the VNC protocol to make this work.
+ Usually only used with graftFtp and SSVNC unix vncviewer.
+
+ delayAuthPanel
+ yes/no, default: no
+ This is another special usage mode with the SSVNC unix vncviewer.
+ A login panel is delayed (not shown at startup.) Could be useful
+ for non SSVNC usage too.
+
+ ignoreMSLogonCheck
+ yes/no, default: no
+ Similar to delayAuthPanel, do not put up a popup asking for
+ Windows username, etc.
OpenPOWER on IntegriCloud