summaryrefslogtreecommitdiffstats
path: root/x11vnc/misc/enhanced_tightvnc_viewer/bin
diff options
context:
space:
mode:
authorrunge <runge>2007-06-15 03:19:05 +0000
committerrunge <runge>2007-06-15 03:19:05 +0000
commitd3326942e2e7d1391da0975590dbd2c8668d9328 (patch)
tree34da35ee116fc657d51736ff65fc0b02b3826801 /x11vnc/misc/enhanced_tightvnc_viewer/bin
parent171db9c542cd35b6de8ad88cefd99ea145482df1 (diff)
downloadlibtdevnc-d3326942e2e7d1391da0975590dbd2c8668d9328.tar.gz
libtdevnc-d3326942e2e7d1391da0975590dbd2c8668d9328.zip
x11vnc: fix build error if libssl is missing or --without-ssl supplied.
Diffstat (limited to 'x11vnc/misc/enhanced_tightvnc_viewer/bin')
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh9
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc5
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd12
-rwxr-xr-xx11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl432
4 files changed, 339 insertions, 119 deletions
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh b/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh
index 0a9c1cc..18e2f31 100755
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/Darwin.Power.Macintosh/vncviewer.sh
@@ -5,6 +5,15 @@
dir=`dirname "$0"`
+if [ "X$SSVNC_DYLD_LIBRARY_PATH" != "X" ]; then
+ if [ "X$DYLD_LIBRARY_PATH" = "X" ] ; then
+ DYLD_LIBRARY_PATH=$SSVNC_DYLD_LIBRARY_PATH
+ else
+ DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$SSVNC_DYLD_LIBRARY_PATH
+ fi
+ export DYLD_LIBRARY_PATH
+fi
+
if [ "X$DISPLAY" != "X" ]; then
"$dir/vncviewer.x11" "$@"
else
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc b/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc
index 950b94a..8088c3f 100755
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc
@@ -126,6 +126,11 @@ fi
SSVNC_BASEDIR="$dir"
export SSVNC_BASEDIR
+if [ -f "$dir/util/ultraftp.jar" ]; then
+ SSVNC_ULTRA_FTP_JAR="$dir/util/ultraftp.jar"
+ export SSVNC_ULTRA_FTP_JAR
+fi
+
if [ "X$WISH" = "Xwish" ]; then
exec ssvnc.tcl "$@"
else
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd b/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd
index 7c76688..dde977b 100755
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/ssvnc_cmd
@@ -86,6 +86,13 @@ fi
PATH=$PATH:/usr/bin:/bin
export PATH
+if [ "X$FULLNAME" = "XKarl J. Runge" ]; then
+ VNCVIEWER_POPUP_FIX=1
+ export VNCVIEWER_POPUP_FIX
+
+ PATH=`echo "$PATH" | sed -e 's,runge/bin/override,-------------,'`
+fi
+
# Set this for ss_vncviewer to pick up:
#
if [ "X$1" = "X-cotvnc" ]; then
@@ -195,6 +202,11 @@ else
PATH="$dir:$dir/$name:$dir/util:$PATH"
fi
+if [ -f "$dir/util/ultraftp.jar" ]; then
+ SSVNC_ULTRA_FTP_JAR="$dir/util/ultraftp.jar"
+ export SSVNC_ULTRA_FTP_JAR
+fi
+
base=`basename "$0"`
if [ "X$1" = "X-ssl" ]; then
shift
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
index b074741..ad29194 100755
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
@@ -8,7 +8,7 @@ exec wish "$0" "$@"
# ssvnc.tcl: gui wrapper to the programs in this
# package. Also sets up service port forwarding.
#
-set version 1.0.17
+set version 1.0.18
set buck_zero $argv0
@@ -187,32 +187,67 @@ proc help {} {
the Help under Options for more info.
- Proxies:
+ Proxies/Gateways:
If an intermediate proxy is needed to make the SSL connection
(e.g. web gateway out of a firewall) enter it in the "Proxy/Gateway"
- entry box, or Alternatively supply both hosts separated by spaces
- (with the proxy second) in the VNC Host:Display box:
+ entry box:
- host:number gwhost:port
+ VNC Host-Display: host:number
+ Proxy/Gateway: gw-host:port
+ e.g.:
+ VNC Host-Display: far-away.east:0
+ Proxy/Gateway: mygateway.com:8080
+
+ Or Alternatively one can supply both hosts separated by
+ spaces (with the proxy second) in the VNC Host:Display box:
+
+ VNC Host-Display: far-away.east:0 mygateway.com:8080
+
+ This looks a little strange, but it actually how SSVNC stores the
+ host info internally.
- E.g.: far-away.east:0 mygateway.com:8080
If the "double proxy" case is required (e.g. coming out of a web
- proxied firewall environment), separate them via a comma, e.g.:
+ proxied firewall environment and then into a 2nd proxy to ultimately
+ reach the VNC server), separate them via a comma, e.g.:
- far-away:0 local-proxy:8080,mygateway.com:443
+ VNC Host-Display: far-away:0
+ Proxy/Gateway: local-proxy:8080,mygateway.com:443
- (either as above, or putting the 2nd string in the "Proxy/Gateway"
- entry box).
+ (either as above, or alternatively putting both strings in Host:Display)
See the ss_vncviewer description and x11vnc FAQ for info on proxies:
http://www.karlrunge.com/x11vnc/#ss_vncviewer
http://www.karlrunge.com/x11vnc/#faq-ssl-java-viewer-proxy
- Proxies also apply to SSH mode, it is a usually a gateway machine to
- log into via SSH that is not the workstation running the VNC server.
+ SSH Proxies/Gateways:
+
+ Proxy/Gateway also applies to SSH mode, it is a usually a gateway
+ machine to log into via SSH that is not the workstation running the
+ VNC server.
+
+ For example if a company had a central login server: "ssh.company.com"
+ (accessible from the internet) and the internal workstation name was
+ "joes-pc", one could put in for the
+
+ VNC Host:Display: joes-pc:0
+ Proxy/Gateway: ssh.company.com
+
+ It is OK if the hostname "joes-pc" only resolves inside the firewall.
+
+ The 2nd leg, from ssh.company.com -> joes-pc is done by a ssh -L
+ redir and is not encrypted (but viewer -> ssh.company.com is encrypted).
+
+ To SSH encrypt both legs, try the "double gateway" using the above
+ "comma" notation:
+
+ VNC Host:Display: :0
+ Proxy/Gateway: ssh.company.com,joes-pc
+
+ this requires an SSH server running on joes-pc. Use username@host
+ (e.g. joe@joes-pc jsmith@ssh.company.com if the user name differs).
Remote SSH Command:
@@ -421,10 +456,16 @@ proc help {} {
the latter is preferred because when you reconnect with it will
find the already running one. The former one will keep creating
new X sessions if called repeatedly.
+
+ 12) You can change the X DISPLAY variable by typing DISPLAY=... into
+ VNC Host:Display and hitting Return or clicking Connect. Same for
+ HOME=. Setting SLEEP=n increases the amount of time waited before
+ starting the viewer. On Mac, you can set DYLD_LIBRARY_PATH=... too.
+ It should propagate down the the viewer.
}
global version
- set msg " SSVNC version: $version\n$msg"
+ set msg " SSVNC version: $version\n$msg"
.h.f.t insert end $msg
jiggle_text .h.f.t
@@ -443,55 +484,79 @@ proc help_certs {} {
set msg {
Description:
- *IMPORTANT*: Only with SSL Certificate verification (either manually or via
- Certificate Authority) can Man-In-The-Middle attacks be prevented. Otherwise,
- only passive network sniffing attacks are prevented.
-
- The SSL Certificate files described below can have been created externally
- (e.g. by x11vnc), you can import it via "Import Certificate" if you like.
- OR you can click on "Create Certificate ..." to use this program to generate a
- Certificate + Private Key pair. In that case you will need to distribute one
- of the generated files to the VNC Server.
-
- You can also retrieve the remote VNC Server's Cert via the "Fetch Cert" button
- on the main panel. After you check that it is the correct Cert (e.g. by
- comparing MD5 hash or other info), you can save it. It will be set as the
- "ServerCert" to verify against for the connection. To make this verification
- check permanent, you will need to save the profile via Options -> Save Profile.
-
- If "Verify All Certs" is checked, you are forced to do this check, and so the
- first time you connect to a new server you may need to follow a few dialogs to
- inspect and save the server certificate. In this case certificates are saved
- in the 'Accepted Certs' directory. When "Verify All Certs" is checked all
- hosts or profiles with "CertsDir" set to "ACCEPTED_CERTS" (and no "ServerCert"
- setting) will be check against the accepted certificates.
-
- Note that "Verify All Certs" is on by default so that users who do not
+ *IMPORTANT*: Only with SSL Certificate verification (either manually or via a
+ Certificate Authority certificate) can Man-In-The-Middle attacks be prevented.
+ Otherwise, only passive network sniffing attacks are prevented.
+
+ The SSL Certificate files described below may have been created externally
+ (e.g. by x11vnc or openssl): you can import them via "Import Certificate".
+ OR you can click on "Create Certificate ..." to use THIS program to generate
+ a Certificate + Private Key pair for you (in this case you will need to
+ distribute one of the generated files to the VNC Server).
+
+ Then you associate the Saved cert with the VNC server, see the panel entry
+ box description below, and then Connect. You will usually want to Save this
+ association in a VNC Server profile for the next time you connect.
+
+ Fetch Cert:
+
+ You can also retrieve and view the VNC Server's Cert via the "Fetch Cert"
+ button on the main panel. After you check that it is the correct Cert (e.g. by
+ comparing MD5 hash or other info), you can save it. The file it was saved
+ as will be set as the "ServerCert" to verify against for the next connection.
+ To make this verification check permanent, you will need to save the profile
+ via Options -> Save Profile.
+
+ Verify All Certs:
+
+ If "Verify All Certs" is checked on the main panel, you are always forced
+ to check unrecognized server certs, and so the first time you connect to
+ a new server you may need to follow a few dialogs to inspect and save the
+ server certificate.
+
+ Under "Verify All Certs", new certificates are saved in the 'Accepted Certs'
+ directory. When the checkbox is set all host profiles with "CertsDir" set to
+ "ACCEPTED_CERTS" (and an empty "ServerCert" setting) will be checked against
+ the pool of accepted certificates in the 'Accepted Certs' directory.
+
+ Note that we have "Verify All Certs" on by default so that users who do not
understand the SSL Man-In-The-Middle problem will not be left completely
- vulnerable to it (everyone still must make the effort to verify new certificates
- by an external method to be completely safe)
+ vulnerable to it. Everyone still must make the effort to verify new
+ certificates by an external method to be completely safe.
To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or set
SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to see the
button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1.
- Note: due to a deficiency in openssl "Fetch Cert" may be slow on Windows. Also:
- "Fetch Cert" and "Verify All Certs" do not currently work in "SSH + SSL" mode.
+ Note: "Fetch Cert" and "Verify All Certs" do not currently work in "SSH +
+ SSL" mode. In this case to have server authentication "ServerCert" must be
+ set explicitly to a file (or "CertDir" to a directory).
+
+ CA:
+
+ One can make SSL VNC server authentication more "automatic" as it is in
+ Web Browsers going to HTTPS sites, by using a Certificate Authority (CA)
+ cert (e.g. a professional one like Verisign or Thawte, or one your company
+ or organization creates) for the "ServerCert". This is described in detail
+ here: http://www.karlrunge.com/x11vnc/ssl.html
+
+ CA's are not often used, but if the number of VNC Servers scales up it can
+ be very convenient because the viewers (i.e. SSVNC) only need the CA cert,
+ not all of the Server certs.
+
- One can make SSL VNC server authentication "automatic" as it is in Web
- Browsers going to HTTPS sites, by using a Certificate Authority (CA) cert
- (e.g. a professional one like Verisign or Thawte, or one your company or
- organization creates). This is described in detail here:
- http://www.karlrunge.com/x11vnc/ssl.html You simply use the CA cert in the
- entries described below.
+ Now what goes into the panel's entry boxes is described.
Your Certificate + Key:
- You can specify your own SSL certificate (PEM) file in "MyCert" in which case it
- is used to authenticate you (the viewer) to the remote VNC Server. If this fails
+ You can specify YOUR own SSL certificate (PEM) file in "MyCert" in which case it
+ is used to authenticate YOU (the viewer) to the remote VNC Server. If this fails
the remote VNC Server will drop the connection.
+ So the Server could use this method to authenticate Viewers instead of the
+ more common practice of using a VNC password or x11vnc's -unixpw mode.
+
Server Certificates:
@@ -508,6 +573,7 @@ proc help_certs {} {
The former corresponds to the "CAfile" STUNNEL parameter.
The latter corresponds to the "CApath" STUNNEL parameter.
+
See stunnel(8) or www.stunnel.org for more information.
If the remote VNC Server fails to authenticate itself with respect to the specified
@@ -517,17 +583,19 @@ proc help_certs {} {
Once selected, if you click Info or the Right Mouse button on "Browse..."
then information about the certificate will be displayed.
- If "CertsDir" is set to the token "ACCEPTED_CERTS" (and "ServerCert" is
- unset) then the certificates accumulated in the special 'Accepted Certs'
- directory will be used. "ACCEPTED_CERTS" is the default for every server
- ("Verify All Certs"). Note that if you ever need to clean this directory,
- each cert is saved in two files, for example:
+ If, as is the default, "CertsDir" is set to the token "ACCEPTED_CERTS" (and
+ "ServerCert" is unset) then the certificates accumulated in the special
+ 'Accepted Certs' directory will be used. "ACCEPTED_CERTS" is the default for
+ every server ("Verify All Certs"). Note that if you ever need to clean this
+ directory, each cert is saved in two files, for example:
bf-d0-d6-9c-68-5a-fe-24-c6-60-ba-b4-14-e6-66-14=hostname-0.crt
and
9eb7c8be.0
This is because of the way OpenSSL must use hash-based filenames in Cert dirs.
+ The file will have a "full filename:" line indicating the fingerprint and
+ hostname associated with it. Be sure to remove both files.
Notes:
@@ -546,9 +614,10 @@ proc help_certs {} {
x11vnc -ssl SAVE ...
and then copy the Server certificate to the local (viewer-side) machine.
- x11vnc prints out to the screen the Server certificate it generates.
- You can set "ServerCert" to it directly or use the "Import Certificate"
- action to save it to a file. Or use the "Fetch Cert" method.
+ x11vnc prints out to the screen the Server certificate it generates. You can
+ set "ServerCert" to it directly or use the "Import Certificate" action to
+ save it to a file. Or use the "Fetch Cert" method to retrieve it (be sure
+ to verify the MD5 fingerprint, etc).
x11vnc also has command line utilities to create server, client, and CA
(Certificate Authority) certificates. See the above URLs.
@@ -2770,7 +2839,7 @@ proc check_accepted_certs {} {
if [file exists $crt] {
mesg "OK: Certificate found in ACCEPTED_CERTS"
- after 550
+ after 750
return 1
}
@@ -2864,6 +2933,7 @@ proc check_accepted_certs {} {
VNC server that you trust (e.g. by checking the fingerprint with that
sent to you by the server administrator).
+
Should this certificate be saved in the accepted certs directory and
then used to SSL authenticate VNC servers?
@@ -2871,7 +2941,7 @@ proc check_accepted_certs {} {
to inspect the certificate before deciding to save it or not.
Choose 'Ignore Cert for One Connection' to connect one time to the
- server and not require any certificate verification.
+ server and not require ANY certificate verification.
"
if {$oth == 0} {
@@ -2947,40 +3017,51 @@ proc check_accepted_certs {} {
set fetch_cert_filename $crt
fetch_dialog $cert_text $hp $hp 1 47
+ after 100
catch {tkwait window .fetch}
after 200
catch {tkwait window .scrt}
+ after 200
+ if [winfo exists .scrt] {
+ catch {tkwait window .scrt}
+ }
set fetch_cert_filename ""
+ set accepted_cert_dialog_in_progress 0
- if [file exists $crt] {
- set ossl [get_openssl]
- set hash [exec $ossl x509 -hash -noout -in $crt]
- set hash [string trim $hash]
- if [regexp {^([0-9a-f][0-9a-f]*)} $hash mv h] {
- set hashfile "$adir/$h.0"
- if [file exists $hashfile] {
- set hashfile "$adir/$h.1"
- }
- set fh [open $crt "a"]
- if {$fh != ""} {
- puts $fh ""
- puts $fh "SSVNC info:"
- puts $fh "Host-Display: $hp"
- puts $fh "$fingerline"
- puts $fh "hash filename: $h.0"
- puts $fh "full filename: $fingerprint=$from.crt"
- close $fh
- }
- catch {file copy -force $crt $hashfile}
- if [file exists $hashfile] {
- return 1
- }
+ save_hash $crt $adir $hp $fingerline $from $fingerprint
+
+ return 1
+}
+
+proc save_hash {crt adir hp fingerline from fingerprint} {
+ if ![file exists $crt] {
+ return
+ }
+ set ossl [get_openssl]
+ set hash [exec $ossl x509 -hash -noout -in $crt]
+ set hash [string trim $hash]
+ if [regexp {^([0-9a-f][0-9a-f]*)} $hash mv h] {
+ set hashfile "$adir/$h.0"
+ if [file exists $hashfile] {
+ set hashfile "$adir/$h.1"
+ }
+ set fh [open $crt "a"]
+ if {$fh != ""} {
+ puts $fh ""
+ puts $fh "SSVNC info:"
+ puts $fh "Host-Display: $hp"
+ puts $fh "$fingerline"
+ puts $fh "hash filename: $h.0"
+ puts $fh "full filename: $fingerprint=$from.crt"
+ close $fh
+ }
+ catch {file copy -force $crt $hashfile}
+ if [file exists $hashfile] {
+ return 1
}
}
-
- return 0
}
proc tpid {} {
@@ -3680,13 +3761,51 @@ proc launch {{hp ""}} {
set hp [get_vncdisplay]
}
- if {[regexp {^HOME=} $hp] || [regexp {^SSVNC_HOME=} $hp]} {
- set t $hp
+ set hpt [string trim $hp]
+ regsub {[ ].*$} $hpt "" hpt
+
+
+ if {[regexp {^HOME=} $hpt] || [regexp {^SSVNC_HOME=} $hpt]} {
+ set t $hpt
regsub {^.*HOME=} $t "" t
+ set t [string trim $t]
set env(SSVNC_HOME) $t
mesg "set SSVNC_HOME to $t"
return 0
}
+ if {[regexp {^DISPLAY=} $hpt] || [regexp {^SSVNC_DISPLAY=} $hpt]} {
+ set t $hpt
+ regsub {^.*DISPLAY=} $t "" t
+ set t [string trim $t]
+ set env(DISPLAY) $t
+ mesg "set DISPLAY to $t"
+ global uname darwin_cotvnc
+ if {$uname == "Darwin"} {
+ if {$t != ""} {
+ set darwin_cotvnc 0
+ } else {
+ set darwin_cotvnc 1
+ }
+ }
+ return 0
+ }
+ if {[regexp {^DYLD_LIBRARY_PATH=} $hpt] || [regexp {^SSVNC_DYLD_LIBRARY_PATH=} $hpt]} {
+ set t $hpt
+ regsub {^.*DYLD_LIBRARY_PATH=} $t "" t
+ set t [string trim $t]
+ set env(DYLD_LIBRARY_PATH) $t
+ set env(SSVNC_DYLD_LIBRARY_PATH) $t
+ mesg "set DYLD_LIBRARY_PATH to $t"
+ return 0
+ }
+ if {[regexp {^SLEEP=} $hpt] || [regexp {^SSVNC_EXTRA_SLEEP=} $hpt]} {
+ set t $hpt
+ regsub {^.*SLEEP=} $t "" t
+ set t [string trim $t]
+ set env(SSVNC_EXTRA_SLEEP) $t
+ mesg "set SSVNC_EXTRA_SLEEP to $t"
+ return 0
+ }
regsub {[ ]*cmd=.*$} $hp "" tt
@@ -4944,7 +5063,7 @@ proc import_check_mode {w} {
}
}
-proc import_browse {} {
+proc import_browse {par} {
global import_file
set idir ""
@@ -4952,14 +5071,14 @@ proc import_browse {} {
set idir [get_idir_certs $import_file]
}
if {$idir != ""} {
- set t [tk_getOpenFile -parent .icrt -initialdir $idir]
+ set t [tk_getOpenFile -parent $par -initialdir $idir]
} else {
- set t [tk_getOpenFile -parent .icrt]
+ set t [tk_getOpenFile -parent $par]
}
if {$t != ""} {
set import_file $t
}
- catch {raise .icrt}
+ catch {raise $par}
update
}
@@ -4985,11 +5104,12 @@ proc import_save_browse {{par ".icrt"}} {
update
}
-proc do_save {} {
+proc do_save {par} {
global import_mode import_file import_save_file
+ global also_save_to_accepted_certs
- if {$import_save_file == ""} {
- tk_messageBox -parent .icrt -type ok -icon error \
+ if {$import_save_file == "" && ! $also_save_to_accepted_certs} {
+ tk_messageBox -parent $par -type ok -icon error \
-message "No Save File supplied" -title "Save File"
return
}
@@ -4999,10 +5119,10 @@ proc do_save {} {
global save_cert_text
set str $save_cert_text
} elseif {$import_mode == "paste"} {
- set str [.icrt.paste.t get 1.0 end]
+ set str [$par.paste.t get 1.0 end]
} else {
if {! [file exists $import_file]} {
- tk_messageBox -parent .icrt -type ok -icon error \
+ tk_messageBox -parent $par -type ok -icon error \
-message "Input file \"$import_file\" does not exist." -title "Import File"
return
}
@@ -5010,7 +5130,7 @@ proc do_save {} {
set emess ""
set rc [catch {set fh [open $import_file "r"]} emess]
if {$rc != 0 || $fh == ""} {
- tk_messageBox -parent .icrt -type ok -icon error \
+ tk_messageBox -parent $par -type ok -icon error \
-message $emess -title "Import File: $import_file"
return
}
@@ -5021,25 +5141,34 @@ proc do_save {} {
}
if {! [regexp {BEGIN CERTIFICATE} $str]} {
- tk_messageBox -parent .icrt -type ok -icon error \
+ tk_messageBox -parent $par -type ok -icon error \
-message "Import Text does not contain \"BEGIN CERTIFICATE\"" -title "Imported Text"
return
}
if {! [regexp {END CERTIFICATE} $str]} {
- tk_messageBox -parent .icrt -type ok -icon error \
+ tk_messageBox -parent $par -type ok -icon error \
-message "Import Text does not contain \"END CERTIFICATE\"" -title "Imported Text"
return
}
+ global is_windows
set fh ""
set emess ""
+ set deltmp ""
+ if {$import_save_file == ""} {
+ if {! $is_windows} {
+ set deltmp /tmp/itmp.[tpid]
+ } else {
+ set deltmp itmp.[tpid]
+ }
+ set import_save_file $deltmp
+ }
set rc [catch {set fh [open $import_save_file "w"]} emess]
if {$rc != 0 || $fh == ""} {
- tk_messageBox -parent .icrt -type ok -icon error \
+ tk_messageBox -parent $par -type ok -icon error \
-message $emess -title "Save File: $import_save_file"
return
}
- global is_windows
if {! $is_windows} {
catch {file attributes $import_save_file -permissions go-w}
if {[regexp {PRIVATE} $str] || [regexp {\.pem$} $import_save_file]} {
@@ -5048,13 +5177,59 @@ proc do_save {} {
}
puts -nonewline $fh $str
close $fh
- catch {destroy .icrt}
+
+ if {$also_save_to_accepted_certs} {
+ set ossl [get_openssl]
+ set fp_txt ""
+ set fp_txt [exec $ossl x509 -fingerprint -noout -in $import_save_file]
+
+ set adir [get_idir_certs ""]
+ set adir "$adir/accepted"
+ catch {file mkdir $adir}
+
+ set fingerprint ""
+ set fingerline ""
+
+ set i 0
+ foreach line [split $fp_txt "\n"] {
+ incr i
+ if {$i > 4} {
+ break
+ }
+ if [regexp -nocase {Fingerprint=(.*)} $line mv str] {
+ set fingerline $line
+ set fingerprint [string trim $str]
+ }
+ }
+
+ set fingerprint [string tolower $fingerprint]
+ regsub -all {:} $fingerprint "-" fingerprint
+ regsub -all {[\\/=]} $fingerprint "_" fingerprint
+
+ global vncdisplay
+ set from [get_ssh_hp $vncdisplay]
+ set hp $from
+
+ set from [string tolower $from]
+ regsub -all {^[+a-z]*://} $from "" from
+ regsub -all {:} $from "-" from
+ regsub -all {[\\/=]} $from "_" from
+
+ set crt "$adir/$fingerprint=$from.crt"
+ catch {file copy -force $import_save_file $crt}
+
+ save_hash $crt $adir $hp $fingerline $from $fingerprint
+ }
+
+ catch {destroy $par}
set p .c
if {![winfo exists .c]} {
global accepted_cert_dialog_in_progress
if {! $accepted_cert_dialog_in_progress} {
- getcerts
- update
+ if {$deltmp == ""} {
+ getcerts
+ update
+ }
}
}
if {![winfo exists .c]} {
@@ -5062,6 +5237,11 @@ proc do_save {} {
}
catch {raise .c}
catch {destroy .scrt}
+ if {$deltmp != ""} {
+ catch {file delete $deltmp}
+ set import_save_file ""
+ return;
+ }
tk_messageBox -parent $p -type ok -icon info \
-message "Saved to file: $import_save_file" -title "Save File: $import_save_file"
}
@@ -5144,7 +5324,7 @@ TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam
set import_file ""
entry $w.e -width 40 -textvariable import_file
- button $w.b -pady 1 -anchor w -text "Browse..." -command import_browse
+ button $w.b -pady 1 -anchor w -text "Browse..." -command {import_browse .icrt}
pack $w.b -side right
pack $w.p $w.f -side left
pack $w.e -side left -expand 1 -fill x
@@ -5162,7 +5342,7 @@ TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam
button .icrt.cancel -text "Cancel" -command {destroy .icrt; catch {raise .c}}
bind .icrt <Escape> {destroy .icrt; catch {raise .c}}
- button .icrt.save -text "Save" -command {do_save}
+ button .icrt.save -text "Save" -command {do_save .icrt}
set w .icrt.sf
frame $w
@@ -5197,15 +5377,16 @@ proc save_cert {hp} {
global scroll_text_focus
set scroll_text_focus 0
global uname
- scroll_text .scrt.f 90 17
- set scroll_text_focus 1
global accepted_cert_dialog_in_progress
if {$accepted_cert_dialog_in_progress} {
set mode "accepted"
+ scroll_text .scrt.f 90 15
} else {
set mode "normal"
+ scroll_text .scrt.f 90 20
}
+ set scroll_text_focus 1
set msg1 {
This dialog lets you import a SSL Certificate retrieved from a VNC server.
@@ -5213,16 +5394,19 @@ proc save_cert {hp} {
Be sure to have verified its authenticity via an external means (checking
the MD5 hash value sent to you by the administrator, etc)
- Set the "Save to File" name to the file where the imported certificate
- will be saved.
+ Set "Save to File" to the filename where the imported cert will be saved.
+
+ If you also want the Certificate to be saved to the pool of certs in the
+ 'Accepted Certs' directory, select the checkbox. By default all Servers are
+ verified against the certificates in this pool.
Then, click on "Save" to save the imported Certificate.
- After you have imported the Certificate it will be automatically selected
- as the "ServerCert" for this host: %HOST
+ After you have imported the Certificate it will be automatically selected as
+ the "ServerCert" for the next connection to this host: %HOST
- To make the ServerCert setting to the imported cert file PERMANENT,
- select Options -> Save Profile to save it in a profile.
+ To make the ServerCert setting to the imported cert file PERMANENT, select
+ Options -> Save Profile to save it in the profile for this host.
}
set msg2 {
@@ -5238,7 +5422,7 @@ proc save_cert {hp} {
It, and the others certs in that directory, will be used to authenticate
any VNC Server that has "ACCEPTED_CERTS" as the "CertsDir" value in the
- "Certs..." dialog.
+ "Certs..." dialog. This is the default checking policy.
}
set msg ""
@@ -5258,16 +5442,16 @@ proc save_cert {hp} {
set import_file ""
entry $w.e -width 40 -textvariable import_file
- scroll_text .scrt.paste 90 26
+ scroll_text .scrt.paste 90 23
button .scrt.cancel -text "Cancel" -command {destroy .scrt; catch {raise .c}}
bind .scrt <Escape> {destroy .scrt; catch {raise .c}}
global import_save_file
if {$mode == "normal"} {
- button .scrt.save -text "Save" -command {do_save; set svcert $import_save_file}
+ button .scrt.save -text "Save" -command {do_save .scrt; set svcert $import_save_file}
} else {
- button .scrt.save -text "Save" -command {do_save}
+ button .scrt.save -text "Save" -command {do_save .scrt}
}
set w .scrt.sf
@@ -5292,7 +5476,16 @@ proc save_cert {hp} {
pack $w.l -side left
pack $w.e -side left -expand 1 -fill x
- pack .scrt.cancel .scrt.save .scrt.sf .scrt.mf -side bottom -fill x
+ global also_save_to_accepted_certs
+ set also_save_to_accepted_certs 0
+ checkbutton .scrt.ac -anchor w -variable also_save_to_accepted_certs -text \
+ "Also Save to the 'Accepted Certs' directory" -relief raised
+
+ if {$mode == "normal"} {
+ pack .scrt.cancel .scrt.save .scrt.sf .scrt.ac .scrt.mf -side bottom -fill x
+ } else {
+ pack .scrt.cancel .scrt.save .scrt.sf .scrt.mf -side bottom -fill x
+ }
pack .scrt.paste -side bottom -fill x
pack .scrt.f -side top -fill both -expand 1
@@ -8544,6 +8737,7 @@ proc unixpw_adjust {} {
}
if {$use_unixpw} {
pack configure .fu -after .f1 -fill x
+ catch {focus .fu.e}
} else {
pack forget .fu
}
@@ -8575,7 +8769,7 @@ proc set_options {} {
incr i
checkbutton .o.b$i -anchor w -variable use_unixpw -text \
- "Unix Username & Password" -command {unixpw_adjust}
+ "Unix Username & Password" -command {unixpw_adjust; catch {destroy .o}}
if {$is_windows} {.o.b$i configure -state disabled}
if {$darwin_cotvnc} {.o.b$i configure -state disabled}
incr i