diff options
Diffstat (limited to 'classes/ssl/README')
| -rw-r--r-- | classes/ssl/README | 67 |
1 files changed, 50 insertions, 17 deletions
diff --git a/classes/ssl/README b/classes/ssl/README index 0767ce9..b244cf1 100644 --- a/classes/ssl/README +++ b/classes/ssl/README @@ -137,6 +137,15 @@ Both TightVNC and UltraVNC Java viewers: number, default: 50 Milliseconds delay + PASSWORD + string, default: none + VNC session password in plain text. + + ENCPASSWORD + string, default: none + VNC session password in encrypted in DES with KNOWN FIXED + key. It is a hex string. This is like the ~/.vnc/passwd format. + The following are added by x11vnc and/or ssvnc project @@ -173,16 +182,47 @@ Both TightVNC and UltraVNC Java viewers: oneTimeKey string, default: none - set a special hex "key" to correspond to an SSL X.509 cert. - See the 'onetimekey' helper script. Can also be PROMPT to - prompt the user to paste the hex key string in. + set a special hex "key" to correspond to an SSL X.509 cert+key. + See the 'onetimekey' helper script. Can also be PROMPT to prompt + the user to paste the hex key string in. + + This provides a Client-Side cert+key that the client will use to + authenticate itself by SSL To the VNC Server. + + This is to try to work around the problem that the Java applet + cannot keep an SSL keystore on disk, etc. E.g. if they log + into an HTTPS website via password they are authenticated and + encrypted, then the website can safely put oneTimeKey=... on the + URL. The Vncviewer authenticates the VNC server with this key. + + Note that there is currently a problem in that if x11vnc requires + Client Certificates the user cannot download the index.vnc HTML + and VncViewer.jar from the same x11vnc. Those need to come from + a different x11vnc or from a web server. + + Note that the HTTPS website can also put the VNC Password + (e.g. a temporary/one-time one) in the parameter PASSWORD. + The Java Applet will automatically supply this VNC password + instead of prompting. + + serverCert + string, default: none + set a special hex "cert" to correspond to an SSL X.509 cert + See the 'onetimekey -certonly' helper script. - This is to try to work around the problem that the Java - applet cannot keep an SSL keystore on disk, etc. - E.g. if they log into an HTTPS website via password they - are authenticated and encrypted, then the website can - safely put oneTimeKey=... on the URL. The Vncviewer - authenticates the VNC server with this key. + This provides a Server-Side cert that the client will authenticate + the VNC Server against by SSL. + + This is to try to work around the problem that the Java applet + cannot keep an SSL keystore on disk, etc. E.g. if they log + into an HTTPS website via password they are authenticated and + encrypted, then the website can safely put serverCert=... on the + URL. + + Of course the VNC Server is sending this string to the Java + Applet, so this is only reasonable security if the VNC Viewer + already trusts the HTTPS retrieval of the URL + serverCert param + that it gets. This should be done over HTTPS not HTTP. proxyHost string, default: none @@ -238,15 +278,8 @@ TightVNC Java viewer only: UltraVNC Java viewer only: - PASSWORD - string, default: none - VNC session password in plain text. + None. - ENCPASSWORD - string, default: none - VNC session password in encrypted in DES with KNOWN FIXED - key. It is a hex string. This is like the ~/.vnc/passwd format. - The following are added by x11vnc and/or ssvnc project ftpDropDown |