diff options
Diffstat (limited to 'x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl')
-rwxr-xr-x | x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl | 432 |
1 files changed, 313 insertions, 119 deletions
diff --git a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl index b074741..ad29194 100755 --- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl +++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl @@ -8,7 +8,7 @@ exec wish "$0" "$@" # ssvnc.tcl: gui wrapper to the programs in this # package. Also sets up service port forwarding. # -set version 1.0.17 +set version 1.0.18 set buck_zero $argv0 @@ -187,32 +187,67 @@ proc help {} { the Help under Options for more info. - Proxies: + Proxies/Gateways: If an intermediate proxy is needed to make the SSL connection (e.g. web gateway out of a firewall) enter it in the "Proxy/Gateway" - entry box, or Alternatively supply both hosts separated by spaces - (with the proxy second) in the VNC Host:Display box: + entry box: - host:number gwhost:port + VNC Host-Display: host:number + Proxy/Gateway: gw-host:port + e.g.: + VNC Host-Display: far-away.east:0 + Proxy/Gateway: mygateway.com:8080 + + Or Alternatively one can supply both hosts separated by + spaces (with the proxy second) in the VNC Host:Display box: + + VNC Host-Display: far-away.east:0 mygateway.com:8080 + + This looks a little strange, but it actually how SSVNC stores the + host info internally. - E.g.: far-away.east:0 mygateway.com:8080 If the "double proxy" case is required (e.g. coming out of a web - proxied firewall environment), separate them via a comma, e.g.: + proxied firewall environment and then into a 2nd proxy to ultimately + reach the VNC server), separate them via a comma, e.g.: - far-away:0 local-proxy:8080,mygateway.com:443 + VNC Host-Display: far-away:0 + Proxy/Gateway: local-proxy:8080,mygateway.com:443 - (either as above, or putting the 2nd string in the "Proxy/Gateway" - entry box). + (either as above, or alternatively putting both strings in Host:Display) See the ss_vncviewer description and x11vnc FAQ for info on proxies: http://www.karlrunge.com/x11vnc/#ss_vncviewer http://www.karlrunge.com/x11vnc/#faq-ssl-java-viewer-proxy - Proxies also apply to SSH mode, it is a usually a gateway machine to - log into via SSH that is not the workstation running the VNC server. + SSH Proxies/Gateways: + + Proxy/Gateway also applies to SSH mode, it is a usually a gateway + machine to log into via SSH that is not the workstation running the + VNC server. + + For example if a company had a central login server: "ssh.company.com" + (accessible from the internet) and the internal workstation name was + "joes-pc", one could put in for the + + VNC Host:Display: joes-pc:0 + Proxy/Gateway: ssh.company.com + + It is OK if the hostname "joes-pc" only resolves inside the firewall. + + The 2nd leg, from ssh.company.com -> joes-pc is done by a ssh -L + redir and is not encrypted (but viewer -> ssh.company.com is encrypted). + + To SSH encrypt both legs, try the "double gateway" using the above + "comma" notation: + + VNC Host:Display: :0 + Proxy/Gateway: ssh.company.com,joes-pc + + this requires an SSH server running on joes-pc. Use username@host + (e.g. joe@joes-pc jsmith@ssh.company.com if the user name differs). Remote SSH Command: @@ -421,10 +456,16 @@ proc help {} { the latter is preferred because when you reconnect with it will find the already running one. The former one will keep creating new X sessions if called repeatedly. + + 12) You can change the X DISPLAY variable by typing DISPLAY=... into + VNC Host:Display and hitting Return or clicking Connect. Same for + HOME=. Setting SLEEP=n increases the amount of time waited before + starting the viewer. On Mac, you can set DYLD_LIBRARY_PATH=... too. + It should propagate down the the viewer. } global version - set msg " SSVNC version: $version\n$msg" + set msg " SSVNC version: $version\n$msg" .h.f.t insert end $msg jiggle_text .h.f.t @@ -443,55 +484,79 @@ proc help_certs {} { set msg { Description: - *IMPORTANT*: Only with SSL Certificate verification (either manually or via - Certificate Authority) can Man-In-The-Middle attacks be prevented. Otherwise, - only passive network sniffing attacks are prevented. - - The SSL Certificate files described below can have been created externally - (e.g. by x11vnc), you can import it via "Import Certificate" if you like. - OR you can click on "Create Certificate ..." to use this program to generate a - Certificate + Private Key pair. In that case you will need to distribute one - of the generated files to the VNC Server. - - You can also retrieve the remote VNC Server's Cert via the "Fetch Cert" button - on the main panel. After you check that it is the correct Cert (e.g. by - comparing MD5 hash or other info), you can save it. It will be set as the - "ServerCert" to verify against for the connection. To make this verification - check permanent, you will need to save the profile via Options -> Save Profile. - - If "Verify All Certs" is checked, you are forced to do this check, and so the - first time you connect to a new server you may need to follow a few dialogs to - inspect and save the server certificate. In this case certificates are saved - in the 'Accepted Certs' directory. When "Verify All Certs" is checked all - hosts or profiles with "CertsDir" set to "ACCEPTED_CERTS" (and no "ServerCert" - setting) will be check against the accepted certificates. - - Note that "Verify All Certs" is on by default so that users who do not + *IMPORTANT*: Only with SSL Certificate verification (either manually or via a + Certificate Authority certificate) can Man-In-The-Middle attacks be prevented. + Otherwise, only passive network sniffing attacks are prevented. + + The SSL Certificate files described below may have been created externally + (e.g. by x11vnc or openssl): you can import them via "Import Certificate". + OR you can click on "Create Certificate ..." to use THIS program to generate + a Certificate + Private Key pair for you (in this case you will need to + distribute one of the generated files to the VNC Server). + + Then you associate the Saved cert with the VNC server, see the panel entry + box description below, and then Connect. You will usually want to Save this + association in a VNC Server profile for the next time you connect. + + Fetch Cert: + + You can also retrieve and view the VNC Server's Cert via the "Fetch Cert" + button on the main panel. After you check that it is the correct Cert (e.g. by + comparing MD5 hash or other info), you can save it. The file it was saved + as will be set as the "ServerCert" to verify against for the next connection. + To make this verification check permanent, you will need to save the profile + via Options -> Save Profile. + + Verify All Certs: + + If "Verify All Certs" is checked on the main panel, you are always forced + to check unrecognized server certs, and so the first time you connect to + a new server you may need to follow a few dialogs to inspect and save the + server certificate. + + Under "Verify All Certs", new certificates are saved in the 'Accepted Certs' + directory. When the checkbox is set all host profiles with "CertsDir" set to + "ACCEPTED_CERTS" (and an empty "ServerCert" setting) will be checked against + the pool of accepted certificates in the 'Accepted Certs' directory. + + Note that we have "Verify All Certs" on by default so that users who do not understand the SSL Man-In-The-Middle problem will not be left completely - vulnerable to it (everyone still must make the effort to verify new certificates - by an external method to be completely safe) + vulnerable to it. Everyone still must make the effort to verify new + certificates by an external method to be completely safe. To have "Verify All Certs" toggled off at startup, use "ssvnc -nv" or set SSVNC_NO_VERIFY_ALL=1 before starting. If you do not even want to see the button, use "ssvnc -nvb" or SSVNC_NO_VERIFY_ALL_BUTTON=1. - Note: due to a deficiency in openssl "Fetch Cert" may be slow on Windows. Also: - "Fetch Cert" and "Verify All Certs" do not currently work in "SSH + SSL" mode. + Note: "Fetch Cert" and "Verify All Certs" do not currently work in "SSH + + SSL" mode. In this case to have server authentication "ServerCert" must be + set explicitly to a file (or "CertDir" to a directory). + + CA: + + One can make SSL VNC server authentication more "automatic" as it is in + Web Browsers going to HTTPS sites, by using a Certificate Authority (CA) + cert (e.g. a professional one like Verisign or Thawte, or one your company + or organization creates) for the "ServerCert". This is described in detail + here: http://www.karlrunge.com/x11vnc/ssl.html + + CA's are not often used, but if the number of VNC Servers scales up it can + be very convenient because the viewers (i.e. SSVNC) only need the CA cert, + not all of the Server certs. + - One can make SSL VNC server authentication "automatic" as it is in Web - Browsers going to HTTPS sites, by using a Certificate Authority (CA) cert - (e.g. a professional one like Verisign or Thawte, or one your company or - organization creates). This is described in detail here: - http://www.karlrunge.com/x11vnc/ssl.html You simply use the CA cert in the - entries described below. + Now what goes into the panel's entry boxes is described. Your Certificate + Key: - You can specify your own SSL certificate (PEM) file in "MyCert" in which case it - is used to authenticate you (the viewer) to the remote VNC Server. If this fails + You can specify YOUR own SSL certificate (PEM) file in "MyCert" in which case it + is used to authenticate YOU (the viewer) to the remote VNC Server. If this fails the remote VNC Server will drop the connection. + So the Server could use this method to authenticate Viewers instead of the + more common practice of using a VNC password or x11vnc's -unixpw mode. + Server Certificates: @@ -508,6 +573,7 @@ proc help_certs {} { The former corresponds to the "CAfile" STUNNEL parameter. The latter corresponds to the "CApath" STUNNEL parameter. + See stunnel(8) or www.stunnel.org for more information. If the remote VNC Server fails to authenticate itself with respect to the specified @@ -517,17 +583,19 @@ proc help_certs {} { Once selected, if you click Info or the Right Mouse button on "Browse..." then information about the certificate will be displayed. - If "CertsDir" is set to the token "ACCEPTED_CERTS" (and "ServerCert" is - unset) then the certificates accumulated in the special 'Accepted Certs' - directory will be used. "ACCEPTED_CERTS" is the default for every server - ("Verify All Certs"). Note that if you ever need to clean this directory, - each cert is saved in two files, for example: + If, as is the default, "CertsDir" is set to the token "ACCEPTED_CERTS" (and + "ServerCert" is unset) then the certificates accumulated in the special + 'Accepted Certs' directory will be used. "ACCEPTED_CERTS" is the default for + every server ("Verify All Certs"). Note that if you ever need to clean this + directory, each cert is saved in two files, for example: bf-d0-d6-9c-68-5a-fe-24-c6-60-ba-b4-14-e6-66-14=hostname-0.crt and 9eb7c8be.0 This is because of the way OpenSSL must use hash-based filenames in Cert dirs. + The file will have a "full filename:" line indicating the fingerprint and + hostname associated with it. Be sure to remove both files. Notes: @@ -546,9 +614,10 @@ proc help_certs {} { x11vnc -ssl SAVE ... and then copy the Server certificate to the local (viewer-side) machine. - x11vnc prints out to the screen the Server certificate it generates. - You can set "ServerCert" to it directly or use the "Import Certificate" - action to save it to a file. Or use the "Fetch Cert" method. + x11vnc prints out to the screen the Server certificate it generates. You can + set "ServerCert" to it directly or use the "Import Certificate" action to + save it to a file. Or use the "Fetch Cert" method to retrieve it (be sure + to verify the MD5 fingerprint, etc). x11vnc also has command line utilities to create server, client, and CA (Certificate Authority) certificates. See the above URLs. @@ -2770,7 +2839,7 @@ proc check_accepted_certs {} { if [file exists $crt] { mesg "OK: Certificate found in ACCEPTED_CERTS" - after 550 + after 750 return 1 } @@ -2864,6 +2933,7 @@ proc check_accepted_certs {} { VNC server that you trust (e.g. by checking the fingerprint with that sent to you by the server administrator). + Should this certificate be saved in the accepted certs directory and then used to SSL authenticate VNC servers? @@ -2871,7 +2941,7 @@ proc check_accepted_certs {} { to inspect the certificate before deciding to save it or not. Choose 'Ignore Cert for One Connection' to connect one time to the - server and not require any certificate verification. + server and not require ANY certificate verification. " if {$oth == 0} { @@ -2947,40 +3017,51 @@ proc check_accepted_certs {} { set fetch_cert_filename $crt fetch_dialog $cert_text $hp $hp 1 47 + after 100 catch {tkwait window .fetch} after 200 catch {tkwait window .scrt} + after 200 + if [winfo exists .scrt] { + catch {tkwait window .scrt} + } set fetch_cert_filename "" + set accepted_cert_dialog_in_progress 0 - if [file exists $crt] { - set ossl [get_openssl] - set hash [exec $ossl x509 -hash -noout -in $crt] - set hash [string trim $hash] - if [regexp {^([0-9a-f][0-9a-f]*)} $hash mv h] { - set hashfile "$adir/$h.0" - if [file exists $hashfile] { - set hashfile "$adir/$h.1" - } - set fh [open $crt "a"] - if {$fh != ""} { - puts $fh "" - puts $fh "SSVNC info:" - puts $fh "Host-Display: $hp" - puts $fh "$fingerline" - puts $fh "hash filename: $h.0" - puts $fh "full filename: $fingerprint=$from.crt" - close $fh - } - catch {file copy -force $crt $hashfile} - if [file exists $hashfile] { - return 1 - } + save_hash $crt $adir $hp $fingerline $from $fingerprint + + return 1 +} + +proc save_hash {crt adir hp fingerline from fingerprint} { + if ![file exists $crt] { + return + } + set ossl [get_openssl] + set hash [exec $ossl x509 -hash -noout -in $crt] + set hash [string trim $hash] + if [regexp {^([0-9a-f][0-9a-f]*)} $hash mv h] { + set hashfile "$adir/$h.0" + if [file exists $hashfile] { + set hashfile "$adir/$h.1" + } + set fh [open $crt "a"] + if {$fh != ""} { + puts $fh "" + puts $fh "SSVNC info:" + puts $fh "Host-Display: $hp" + puts $fh "$fingerline" + puts $fh "hash filename: $h.0" + puts $fh "full filename: $fingerprint=$from.crt" + close $fh + } + catch {file copy -force $crt $hashfile} + if [file exists $hashfile] { + return 1 } } - - return 0 } proc tpid {} { @@ -3680,13 +3761,51 @@ proc launch {{hp ""}} { set hp [get_vncdisplay] } - if {[regexp {^HOME=} $hp] || [regexp {^SSVNC_HOME=} $hp]} { - set t $hp + set hpt [string trim $hp] + regsub {[ ].*$} $hpt "" hpt + + + if {[regexp {^HOME=} $hpt] || [regexp {^SSVNC_HOME=} $hpt]} { + set t $hpt regsub {^.*HOME=} $t "" t + set t [string trim $t] set env(SSVNC_HOME) $t mesg "set SSVNC_HOME to $t" return 0 } + if {[regexp {^DISPLAY=} $hpt] || [regexp {^SSVNC_DISPLAY=} $hpt]} { + set t $hpt + regsub {^.*DISPLAY=} $t "" t + set t [string trim $t] + set env(DISPLAY) $t + mesg "set DISPLAY to $t" + global uname darwin_cotvnc + if {$uname == "Darwin"} { + if {$t != ""} { + set darwin_cotvnc 0 + } else { + set darwin_cotvnc 1 + } + } + return 0 + } + if {[regexp {^DYLD_LIBRARY_PATH=} $hpt] || [regexp {^SSVNC_DYLD_LIBRARY_PATH=} $hpt]} { + set t $hpt + regsub {^.*DYLD_LIBRARY_PATH=} $t "" t + set t [string trim $t] + set env(DYLD_LIBRARY_PATH) $t + set env(SSVNC_DYLD_LIBRARY_PATH) $t + mesg "set DYLD_LIBRARY_PATH to $t" + return 0 + } + if {[regexp {^SLEEP=} $hpt] || [regexp {^SSVNC_EXTRA_SLEEP=} $hpt]} { + set t $hpt + regsub {^.*SLEEP=} $t "" t + set t [string trim $t] + set env(SSVNC_EXTRA_SLEEP) $t + mesg "set SSVNC_EXTRA_SLEEP to $t" + return 0 + } regsub {[ ]*cmd=.*$} $hp "" tt @@ -4944,7 +5063,7 @@ proc import_check_mode {w} { } } -proc import_browse {} { +proc import_browse {par} { global import_file set idir "" @@ -4952,14 +5071,14 @@ proc import_browse {} { set idir [get_idir_certs $import_file] } if {$idir != ""} { - set t [tk_getOpenFile -parent .icrt -initialdir $idir] + set t [tk_getOpenFile -parent $par -initialdir $idir] } else { - set t [tk_getOpenFile -parent .icrt] + set t [tk_getOpenFile -parent $par] } if {$t != ""} { set import_file $t } - catch {raise .icrt} + catch {raise $par} update } @@ -4985,11 +5104,12 @@ proc import_save_browse {{par ".icrt"}} { update } -proc do_save {} { +proc do_save {par} { global import_mode import_file import_save_file + global also_save_to_accepted_certs - if {$import_save_file == ""} { - tk_messageBox -parent .icrt -type ok -icon error \ + if {$import_save_file == "" && ! $also_save_to_accepted_certs} { + tk_messageBox -parent $par -type ok -icon error \ -message "No Save File supplied" -title "Save File" return } @@ -4999,10 +5119,10 @@ proc do_save {} { global save_cert_text set str $save_cert_text } elseif {$import_mode == "paste"} { - set str [.icrt.paste.t get 1.0 end] + set str [$par.paste.t get 1.0 end] } else { if {! [file exists $import_file]} { - tk_messageBox -parent .icrt -type ok -icon error \ + tk_messageBox -parent $par -type ok -icon error \ -message "Input file \"$import_file\" does not exist." -title "Import File" return } @@ -5010,7 +5130,7 @@ proc do_save {} { set emess "" set rc [catch {set fh [open $import_file "r"]} emess] if {$rc != 0 || $fh == ""} { - tk_messageBox -parent .icrt -type ok -icon error \ + tk_messageBox -parent $par -type ok -icon error \ -message $emess -title "Import File: $import_file" return } @@ -5021,25 +5141,34 @@ proc do_save {} { } if {! [regexp {BEGIN CERTIFICATE} $str]} { - tk_messageBox -parent .icrt -type ok -icon error \ + tk_messageBox -parent $par -type ok -icon error \ -message "Import Text does not contain \"BEGIN CERTIFICATE\"" -title "Imported Text" return } if {! [regexp {END CERTIFICATE} $str]} { - tk_messageBox -parent .icrt -type ok -icon error \ + tk_messageBox -parent $par -type ok -icon error \ -message "Import Text does not contain \"END CERTIFICATE\"" -title "Imported Text" return } + global is_windows set fh "" set emess "" + set deltmp "" + if {$import_save_file == ""} { + if {! $is_windows} { + set deltmp /tmp/itmp.[tpid] + } else { + set deltmp itmp.[tpid] + } + set import_save_file $deltmp + } set rc [catch {set fh [open $import_save_file "w"]} emess] if {$rc != 0 || $fh == ""} { - tk_messageBox -parent .icrt -type ok -icon error \ + tk_messageBox -parent $par -type ok -icon error \ -message $emess -title "Save File: $import_save_file" return } - global is_windows if {! $is_windows} { catch {file attributes $import_save_file -permissions go-w} if {[regexp {PRIVATE} $str] || [regexp {\.pem$} $import_save_file]} { @@ -5048,13 +5177,59 @@ proc do_save {} { } puts -nonewline $fh $str close $fh - catch {destroy .icrt} + + if {$also_save_to_accepted_certs} { + set ossl [get_openssl] + set fp_txt "" + set fp_txt [exec $ossl x509 -fingerprint -noout -in $import_save_file] + + set adir [get_idir_certs ""] + set adir "$adir/accepted" + catch {file mkdir $adir} + + set fingerprint "" + set fingerline "" + + set i 0 + foreach line [split $fp_txt "\n"] { + incr i + if {$i > 4} { + break + } + if [regexp -nocase {Fingerprint=(.*)} $line mv str] { + set fingerline $line + set fingerprint [string trim $str] + } + } + + set fingerprint [string tolower $fingerprint] + regsub -all {:} $fingerprint "-" fingerprint + regsub -all {[\\/=]} $fingerprint "_" fingerprint + + global vncdisplay + set from [get_ssh_hp $vncdisplay] + set hp $from + + set from [string tolower $from] + regsub -all {^[+a-z]*://} $from "" from + regsub -all {:} $from "-" from + regsub -all {[\\/=]} $from "_" from + + set crt "$adir/$fingerprint=$from.crt" + catch {file copy -force $import_save_file $crt} + + save_hash $crt $adir $hp $fingerline $from $fingerprint + } + + catch {destroy $par} set p .c if {![winfo exists .c]} { global accepted_cert_dialog_in_progress if {! $accepted_cert_dialog_in_progress} { - getcerts - update + if {$deltmp == ""} { + getcerts + update + } } } if {![winfo exists .c]} { @@ -5062,6 +5237,11 @@ proc do_save {} { } catch {raise .c} catch {destroy .scrt} + if {$deltmp != ""} { + catch {file delete $deltmp} + set import_save_file "" + return; + } tk_messageBox -parent $p -type ok -icon info \ -message "Saved to file: $import_save_file" -title "Save File: $import_save_file" } @@ -5144,7 +5324,7 @@ TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam set import_file "" entry $w.e -width 40 -textvariable import_file - button $w.b -pady 1 -anchor w -text "Browse..." -command import_browse + button $w.b -pady 1 -anchor w -text "Browse..." -command {import_browse .icrt} pack $w.b -side right pack $w.p $w.f -side left pack $w.e -side left -expand 1 -fill x @@ -5162,7 +5342,7 @@ TCQ+tbQ/DOiTXGKx1nlcKoPdkG+QVQVJthlQcpam button .icrt.cancel -text "Cancel" -command {destroy .icrt; catch {raise .c}} bind .icrt <Escape> {destroy .icrt; catch {raise .c}} - button .icrt.save -text "Save" -command {do_save} + button .icrt.save -text "Save" -command {do_save .icrt} set w .icrt.sf frame $w @@ -5197,15 +5377,16 @@ proc save_cert {hp} { global scroll_text_focus set scroll_text_focus 0 global uname - scroll_text .scrt.f 90 17 - set scroll_text_focus 1 global accepted_cert_dialog_in_progress if {$accepted_cert_dialog_in_progress} { set mode "accepted" + scroll_text .scrt.f 90 15 } else { set mode "normal" + scroll_text .scrt.f 90 20 } + set scroll_text_focus 1 set msg1 { This dialog lets you import a SSL Certificate retrieved from a VNC server. @@ -5213,16 +5394,19 @@ proc save_cert {hp} { Be sure to have verified its authenticity via an external means (checking the MD5 hash value sent to you by the administrator, etc) - Set the "Save to File" name to the file where the imported certificate - will be saved. + Set "Save to File" to the filename where the imported cert will be saved. + + If you also want the Certificate to be saved to the pool of certs in the + 'Accepted Certs' directory, select the checkbox. By default all Servers are + verified against the certificates in this pool. Then, click on "Save" to save the imported Certificate. - After you have imported the Certificate it will be automatically selected - as the "ServerCert" for this host: %HOST + After you have imported the Certificate it will be automatically selected as + the "ServerCert" for the next connection to this host: %HOST - To make the ServerCert setting to the imported cert file PERMANENT, - select Options -> Save Profile to save it in a profile. + To make the ServerCert setting to the imported cert file PERMANENT, select + Options -> Save Profile to save it in the profile for this host. } set msg2 { @@ -5238,7 +5422,7 @@ proc save_cert {hp} { It, and the others certs in that directory, will be used to authenticate any VNC Server that has "ACCEPTED_CERTS" as the "CertsDir" value in the - "Certs..." dialog. + "Certs..." dialog. This is the default checking policy. } set msg "" @@ -5258,16 +5442,16 @@ proc save_cert {hp} { set import_file "" entry $w.e -width 40 -textvariable import_file - scroll_text .scrt.paste 90 26 + scroll_text .scrt.paste 90 23 button .scrt.cancel -text "Cancel" -command {destroy .scrt; catch {raise .c}} bind .scrt <Escape> {destroy .scrt; catch {raise .c}} global import_save_file if {$mode == "normal"} { - button .scrt.save -text "Save" -command {do_save; set svcert $import_save_file} + button .scrt.save -text "Save" -command {do_save .scrt; set svcert $import_save_file} } else { - button .scrt.save -text "Save" -command {do_save} + button .scrt.save -text "Save" -command {do_save .scrt} } set w .scrt.sf @@ -5292,7 +5476,16 @@ proc save_cert {hp} { pack $w.l -side left pack $w.e -side left -expand 1 -fill x - pack .scrt.cancel .scrt.save .scrt.sf .scrt.mf -side bottom -fill x + global also_save_to_accepted_certs + set also_save_to_accepted_certs 0 + checkbutton .scrt.ac -anchor w -variable also_save_to_accepted_certs -text \ + "Also Save to the 'Accepted Certs' directory" -relief raised + + if {$mode == "normal"} { + pack .scrt.cancel .scrt.save .scrt.sf .scrt.ac .scrt.mf -side bottom -fill x + } else { + pack .scrt.cancel .scrt.save .scrt.sf .scrt.mf -side bottom -fill x + } pack .scrt.paste -side bottom -fill x pack .scrt.f -side top -fill both -expand 1 @@ -8544,6 +8737,7 @@ proc unixpw_adjust {} { } if {$use_unixpw} { pack configure .fu -after .f1 -fill x + catch {focus .fu.e} } else { pack forget .fu } @@ -8575,7 +8769,7 @@ proc set_options {} { incr i checkbutton .o.b$i -anchor w -variable use_unixpw -text \ - "Unix Username & Password" -command {unixpw_adjust} + "Unix Username & Password" -command {unixpw_adjust; catch {destroy .o}} if {$is_windows} {.o.b$i configure -state disabled} if {$darwin_cotvnc} {.o.b$i configure -state disabled} incr i |