From a774823bdfbef51654c3e7292feab817262a556e Mon Sep 17 00:00:00 2001
From: runge <runge>
Date: Mon, 12 Jan 2009 01:56:14 +0000
Subject: classes/ssl: Add configurable Ultra java applet Filexfer Drives drop
 down (e.g. ftpDropDown=Home.Desktop.bin).  Document all applet parameters in
 classes/ssl/README.

---
 classes/ssl/ss_vncviewer | 576 ++++++++++++++++++++++++++++++++---------------
 1 file changed, 398 insertions(+), 178 deletions(-)

(limited to 'classes/ssl/ss_vncviewer')

diff --git a/classes/ssl/ss_vncviewer b/classes/ssl/ss_vncviewer
index 12fe6b2..2231108 100755
--- a/classes/ssl/ss_vncviewer
+++ b/classes/ssl/ss_vncviewer
@@ -23,6 +23,7 @@
 #
 #	-verify /path/to/cacert.pem		
 #	-mycert /path/to/mycert.pem		
+#	-crl    /path/to/my_crl.pem  (or directory)
 #	-proxy  host:port
 #
 # -verify specifies a CA cert PEM file (or a self-signed one) for
@@ -125,13 +126,31 @@ fi
 
 PATH=$PATH:/usr/sbin:/usr/local/sbin:/dist/sbin; export PATH
 
-# work out which stunnel t use (debian installs as stunnel4)
+localhost="localhost"
+if uname | grep Darwin >/dev/null; then
+	localhost="127.0.0.1"
+fi
+
+# work out which stunnel to use (debian installs as stunnel4)
 if [ "X$STUNNEL" = "X" ]; then
-	type stunnel4 > /dev/null 2>&1
-	if [ $? = 0 ]; then
-		STUNNEL=stunnel4
-	else
-		STUNNEL=stunnel
+	check_stunnel=1
+	if [ "X$SSVNC_BASEDIRNAME" != "X" ]; then
+		if [ -x "$SSVNC_BASEDIRNAME/stunnel" ]; then
+			type stunnel > /dev/null 2>&1
+			if [ $? = 0 ]; then
+				# found ours
+				STUNNEL=stunnel
+				check_stunnel=0
+			fi
+		fi
+	fi
+	if [ "X$check_stunnel" = "X1" ]; then
+		type stunnel4 > /dev/null 2>&1
+		if [ $? = 0 ]; then
+			STUNNEL=stunnel4
+		else
+			STUNNEL=stunnel
+		fi
 	fi
 fi
 
@@ -164,6 +183,11 @@ reverse=""
 
 ciphers=""
 anondh="ALL:RC4+RSA:+SSLv2:@STRENGTH"
+anondh_set=""
+stunnel_debug="6"
+if [ "X$SS_DEBUG" != "X" -o "X$SSVNC_VENCRYPT_DEBUG" != "X" -o "X$SSVNC_STUNNEL_DEBUG" != "X" ]; then
+	stunnel_debug="7"
+fi
 
 if [ "X$1" = "X-viewerflavor" ]; then
 	# special case, try to guess which viewer:
@@ -193,16 +217,9 @@ if [ "X$1" = "X-viewerflavor" ]; then
 	fi
 	exit 0
 fi
-
-# maxconn is something we added to stunnel, this disables it:
-if [ "X$SS_VNCVIEWER_NO_MAXCONN" != "X" ]; then
-	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
-elif echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
-	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
-else
-	STUNNEL_ONCE=1; export STUNNEL_ONCE
-	STUNNEL_MAX_CLIENTS=1; export STUNNEL_MAX_CLIENTS
-	STUNNEL_NO_SYSLOG=1; export STUNNEL_NO_SYSLOG
+if [ "X$1" = "X-viewerhelp" ]; then
+	$VNCVIEWERCMD -h 2>&1
+	exit 0
 fi
 
 # grab our cmdline options:
@@ -213,6 +230,8 @@ do
                 ;;
 	"-mycert")	shift; mycert="$1"
                 ;;
+	"-crl")		shift; crl="$1"
+                ;;
 	"-proxy")	shift; proxy="$1"
                 ;;
 	"-ssh")		use_ssh=1
@@ -225,6 +244,7 @@ do
 	"-sshargs")	shift; ssh_args="$1"
                 ;;
 	"-anondh")	ciphers="ciphers=$anondh"
+			anondh_set=1
                 ;;
 	"-ciphers")	shift; ciphers="ciphers=$1"
                 ;;
@@ -246,6 +266,8 @@ do
                 ;;
 	"-scale")	shift; SSVNC_SCALE="$1"; export SSVNC_SCALE
                 ;;
+	"-onelisten")	SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
+                ;;
 	"-escape")	shift; VNCVIEWER_ESCAPE="$1"; export VNCVIEWER_ESCAPE
                 ;;
 	"-ssvnc_encodings")	shift; VNCVIEWER_ENCODINGS="$1"; export VNCVIEWER_ENCODINGS
@@ -268,7 +290,28 @@ do
     shift
 done
 
-# this is the -t ssh option (gives better keyboard responsd thru SSH tunnel)
+# maxconn is something we added to stunnel, this disables it:
+if [ "X$SS_VNCVIEWER_NO_MAXCONN" != "X" ]; then
+	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
+elif echo "$VNCVIEWERCMD" | egrep -i '^(xmessage|sleep )' > /dev/null; then
+	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
+elif [ "X$reverse" != "X" ]; then
+	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
+else
+	# new way (our patches).  other than the above, we set these:
+	if [ "X$SKIP_STUNNEL_ONCE" = "X" ]; then
+		STUNNEL_ONCE=1; export STUNNEL_ONCE
+	fi
+	if [ "X$SKIP_STUNNEL_MAX_CLIENTS" = "X" ]; then
+		STUNNEL_MAX_CLIENTS=1; export STUNNEL_MAX_CLIENTS
+	fi
+fi
+# always set this one:
+if [ "X$SKIP_STUNNEL_NO_SYSLOG" = "X" ]; then
+	STUNNEL_NO_SYSLOG=1; export STUNNEL_NO_SYSLOG
+fi
+
+# this is the -t ssh option (gives better keyboard response thru SSH tunnel)
 targ="-t"
 if [ "X$SS_VNCVIEWER_NO_T" != "X" ]; then
 	targ=""
@@ -289,18 +332,18 @@ if [ "X$reverse" != "X" ]; then
 		# check proxy usage under reverse connection:
 		if [ "X$use_ssh" = "X" -a "X$use_sshssl" = "X" ]; then
 			echo ""
-			if echo "$proxy" | egrep "repeater://" > /dev/null; then
+			if echo "$proxy" | egrep -i "(repeater|vencrypt)://" > /dev/null; then
 				:
 			else
 				echo "*Warning*: SSL -listen and a Web proxy does not make sense."
-				sleep 3
+				sleep 2
 			fi
 		elif echo "$proxy" | grep "," > /dev/null; then
 			:
 		else
 			echo ""
 			echo "*Warning*: -listen and a single proxy/gateway does not make sense."
-			sleep 3
+			sleep 2
 		fi
 		SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
 	fi
@@ -320,6 +363,14 @@ if uname -sr | egrep 'SunOS 5\.[5-8]' > /dev/null; then
 	dL="-h"
 fi
 
+rchk() {
+	# a kludge to set $RANDOM if we are not bash:
+	if [ "X$BASH_VERSION" = "X" ]; then
+		RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'`
+	fi
+}
+rchk
+
 # a portable, but not absolutely safe, tmp file creator
 mytmp() {
 	tf=$1
@@ -397,6 +448,7 @@ if echo "$orig" | grep '^vnc://' > /dev/null; then
 	orig=`echo "$orig" | sed -e 's,vnc://,,'`
 	verify=""
 	mycert=""
+	crl=""
 	use_ssh=""
 	use_sshssl=""
 	direct_connect=1
@@ -417,6 +469,7 @@ fi
 if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
         verify=""
         mycert=""
+        crl=""
         use_ssh=""
         use_sshssl=""
         direct_connect=1
@@ -459,7 +512,7 @@ fi
 host=`echo "$orig" | awk -F: '{print $1}'`
 disp=`echo "$orig" | awk -F: '{print $2}'`
 if [ "X$host" = "X" ]; then
-	host=localhost
+	host=$localhost
 fi
 if [ "X$disp" = "X" ]; then
 	port=""	# probably -listen mode.
@@ -483,9 +536,9 @@ inuse=""
 if uname | grep Linux > /dev/null; then
 	inuse=`netstat -ant | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*://'`
 elif uname | grep SunOS > /dev/null; then
-	inuse=`netstat -an -f inet -P tcp | grep LISTEN | awk '{print $1}' | sed 's/^.*\.//'`
-elif uname | grep -i bsd > /dev/null; then
-	inuse=`netstat -ant -f inet | grep LISTEN | awk '{print $4}' | sed 's/^.*\.//'`
+	inuse=`netstat -an -f inet -P tcp | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $1}' | sed 's/^.*\.//'`
+elif uname | egrep -i 'bsd|darwin' > /dev/null; then
+	inuse=`netstat -ant -f inet | egrep 'LISTEN|WAIT|ESTABLISH|CLOSE' | awk '{print $4}' | sed 's/^.*\.//'`
 # add others...
 fi
 
@@ -590,7 +643,14 @@ final() {
 
 if [ "X$reverse" = "X" ]; then
 	# normal connections try 5930-5999:
-	use=`findfree 5930`
+	if [ "X$showcert" = "X" ]; then
+		use=`findfree 5930`
+	else
+		# move away from normal place for (possibly many) -showcert
+		pstart=`date +%S`
+		pstart=`expr 6130 + $pstart + $pstart`
+		use=`findfree $pstart`
+	fi
 	if [ $use -ge 5900 ]; then
 		N=`expr $use - 5900`
 	else
@@ -612,14 +672,6 @@ if echo "$0" | grep vncip > /dev/null; then
 	VNCVIEWERCMD="$VNCIPCMD"
 fi
 
-rchk() {
-	# a kludge to set $RANDOM if we are not bash:
-	if [ "X$BASH_VERSION" = "X" ]; then
-		RANDOM=`date +%S``sh -c 'echo $$'``ps -elf 2>&1 | sum 2>&1 | awk '{print $1}'`
-	fi
-}
-rchk
-
 # trick for the undocumented rsh://host:port method.
 rsh_setup() {
 	if echo "$ssh_host" | grep '@' > /dev/null; then
@@ -670,7 +722,7 @@ if (exists $ENV{PPROXY_SLEEP}) {
 
 foreach my $var (qw(PPROXY_PROXY PPROXY_SOCKS PPROXY_DEST PPROXY_LISTEN
     PPROXY_REVERSE PPROXY_REPEATER PPROXY_REMOVE PPROXY_KILLPID PPROXY_SLEEP)) {
-	if (0 || $ENV{SS_DEBUG}) {
+	if (0 || $ENV{SS_DEBUG} || $ENV{SSVNC_VENCRYPT_DEBUG}) {
 		print STDERR "$var: $ENV{$var}\n";
 	}
 } 
@@ -683,7 +735,7 @@ if ($ENV{PPROXY_SOCKS} ne "" && $ENV{PPROXY_PROXY} !~ m,^socks5?://,i) {
 	}
 }
 
-my $rfbSecTypeTlsVnc   = 18;
+my $rfbSecTypeAnonTls  = 18;
 my $rfbSecTypeVencrypt = 19;
 
 my $rfbVencryptPlain        = 256;
@@ -755,13 +807,24 @@ if ($ENV{PPROXY_REVERSE} ne "") {
 		die "pproxy: $! -- PPROXY_REVERSE\n";
 	}
 	print STDERR "PPROXY_REVERSE: connected to $rhost $rport\n";
+
 } elsif ($ENV{PPROXY_LISTEN} ne "") {
-	my $listen_sock = IO::Socket::INET->new(
-		Listen    => 2,
-		LocalAddr => "localhost",
-		LocalPort => $ENV{PPROXY_LISTEN},
-		Proto     => "tcp"
-	);
+	my $listen_sock = "";
+	if ($ENV{PPROXY_LISTEN} =~ /^INADDR_ANY:(.*)/) {
+		my $p = $1;
+		$listen_sock = IO::Socket::INET->new(
+			Listen    => 2,
+			LocalPort => $p,
+			Proto     => "tcp"
+		);
+	} else {
+		$listen_sock = IO::Socket::INET->new(
+			Listen    => 2,
+			LocalAddr => "127.0.0.1",
+			LocalPort => $ENV{PPROXY_LISTEN},
+			Proto     => "tcp"
+		);
+	}
 	if (! $listen_sock) {
 		die "pproxy: $! -- PPROXY_LISTEN\n";
 	}
@@ -770,6 +833,7 @@ if ($ENV{PPROXY_REVERSE} ne "") {
 	if (! $listen_handle) {
 		die "pproxy: $!\n";
 	}
+	close $listen_sock;
 }
 
 my $sock = IO::Socket::INET->new(
@@ -786,6 +850,13 @@ if (! $sock) {
 
 unlink($0) if $ENV{PPROXY_REMOVE};
 
+if ($ENV{PPROXY_PROXY} =~ /^vencrypt:/ && $ENV{PPROXY_LISTEN} =~ /^INADDR_ANY:/) {
+	print STDERR "PPROXY: vencrypt+reverse: swapping listen socket with connect socket.\n";
+	my $tmp_swap = $sock;
+	$sock = $listen_handle;
+	$listen_handle = $tmp_swap;
+}
+
 $cur_proxy = $first;
 setmode($mode_1st);
 
@@ -810,7 +881,14 @@ if ($second ne "") {
 $parent = $$;
 $child = fork;
 if (! defined $child) {
-	kill "TERM", $ENV{PPROXY_KILLPID} if $ENV{PPROXY_KILLPID};
+	if ($ENV{PPROXY_KILLPID}) {
+		foreach my $p (split(/,/, $ENV{PPROXY_KILLPID})) {
+			if ($p =~ /^(\+|-)/) {
+				$p = $parent + $p;
+			}
+			kill "TERM", $p;
+		}
+	}
 	exit 1;
 }
 
@@ -824,7 +902,7 @@ if ($child) {
 	select(undef, undef, undef, 0.25);
 	if (kill 0, $child) {
 		select(undef, undef, undef, 1.5);
-		#print STDERR "pproxy\[$$]: kill TERM $child\n";
+		print STDERR "pproxy\[$$]: kill TERM $child\n";
 		kill "TERM", $child;
 	}
 } else {
@@ -837,16 +915,20 @@ if ($child) {
 	select(undef, undef, undef, 0.25);
 	if (kill 0, $parent) {
 		select(undef, undef, undef, 1.5);
-		#print STDERR "pproxy\[$$]: kill TERM $parent\n";
+		print STDERR "pproxy\[$$]: kill TERM $parent\n";
 		kill "TERM", $parent;
 	}
 }
 if ($ENV{PPROXY_KILLPID} ne "") {
-	if ($ENV{PPROXY_KILLPID} =~ /^(\+|-)/) {
-		$ENV{PPROXY_KILLPID} = $$ + $ENV{PPROXY_KILLPID};
+	if ($ENV{PPROXY_KILLPID}) {
+		foreach my $p (split(/,/, $ENV{PPROXY_KILLPID})) {
+			if ($p =~ /^(\+|-)/) {
+				$p = $parent + $p;
+			}
+			print STDERR "kill TERM, $p (PPROXY_KILLPID)\n";
+			kill "TERM", $p;
+		}
 	}
-	print STDERR "kill TERM, $ENV{PPROXY_KILLPID}\n";
-	kill "TERM", $ENV{PPROXY_KILLPID};
 }
 exit;
 
@@ -1079,12 +1161,12 @@ sub vdie {
 	exit(1);
 }
 
-sub tlsvnc_handshake {
+sub anontls_handshake {
 	my ($vmode, $db) = @_;
 
-	print STDERR "PPROXY: Doing TLSVNC Handshake\n";
+	print STDERR "PPROXY: Doing ANONTLS Handshake\n";
 
-	my $psec = pack("C", $rfbSecTypeTlsVnc);
+	my $psec = pack("C", $rfbSecTypeAnonTls);
 	syswrite($sock, $psec, 1);
 
 	append_handshake("done\n");
@@ -1097,6 +1179,13 @@ sub vencrypt_handshake {
 	print STDERR "PPROXY: Doing VeNCrypt Handshake\n";
 
 	my $psec = pack("C", $rfbSecTypeVencrypt);
+
+	if (exists $ENV{SSVNC_TEST_SEC_TYPE}) {
+		my $fake = $ENV{SSVNC_TEST_SEC_TYPE};
+		print STDERR "PPROXY: sending sec-type: $fake\n";
+		$psec = pack("C", $fake);
+	}
+
 	syswrite($sock, $psec, 1);
 
 	my $vmajor;
@@ -1108,10 +1197,14 @@ sub vencrypt_handshake {
 
 	$vmajor = unpack("C", $vmajor);
 	$vminor = unpack("C", $vminor);
-	print STDERR "$vmajor.$vminor\n" if $db;
+	print STDERR "server vencrypt version $vmajor.$vminor\n" if $db;
 
-	vdie if $vmajor ne 0;
-	vdie if $vminor < 2;
+	if (exists $ENV{SSVNC_TEST_SEC_TYPE}) {
+		print STDERR "PPROXY: continuing on in test mode.\n";
+	} else {
+		vdie if $vmajor ne 0;
+		vdie if $vminor < 2;
+	}
 
 	$vmajor = pack("C", 0);
 	$vminor = pack("C", 2);
@@ -1122,6 +1215,7 @@ sub vencrypt_handshake {
 
 	my $result;
 	sysread($sock, $result, 1);
+	print STDERR "result empty\n" if $db && $result eq "";
 
 	vdie if $result eq "";
 	$result = unpack("C", $result);
@@ -1170,12 +1264,23 @@ sub vencrypt_handshake {
 		$subtype = $rfbVencryptTlsPlain;
 		print STDERR "selected rfbVencryptTlsPlain\n" if $db;
 	}
+
+	if (exists $ENV{SSVNC_TEST_SEC_SUBTYPE}) {
+		my $fake = $ENV{SSVNC_TEST_SEC_SUBTYPE};
+		print STDERR "PPROXY: sending sec-subtype: $fake\n";
+		$subtype = $fake;
+	}
+
 	append_handshake("subtype=$subtype\n");
 
 	my $pst = pack("N", $subtype);
 	syswrite($sock, $pst, 4); 
 
-	vdie if $subtype == 0;
+	if (exists $ENV{SSVNC_TEST_SEC_SUBTYPE}) {
+		print STDERR "PPROXY: continuing on in test mode.\n";
+	} else {
+		vdie if $subtype == 0;
+	}
 
 	my $ok;
 	sysread($sock, $ok, 1);
@@ -1192,11 +1297,12 @@ sub vencrypt_dialog {
 	my $db = 0;
 
 	$db = 1 if exists $ENV{SS_DEBUG};
+	$db = 1 if exists $ENV{SSVNC_VENCRYPT_DEBUG};
 
 	append_handshake("mode=$vmode\n");
 
 	my $server_rfb = "";
-	syswrite($sock, $rep, 250);
+	#syswrite($sock, $rep, 250);
 	for (my $i = 0; $i < 12; $i++) {
 		my $c;
 		sysread($sock, $c, 1);
@@ -1246,10 +1352,10 @@ sub vencrypt_dialog {
 		print STDERR "found rfbSecTypeVencrypt\n" if $db;
 		append_handshake("sectype=$rfbSecTypeVencrypt\n");
 		vencrypt_handshake($vmode, $db);
-	} elsif (exists $sectypes{$rfbSecTypeTlsVnc}) {
-		print STDERR "found rfbSecTypeTlsVnc\n" if $db;
-		append_handshake("sectype=$rfbSecTypeTlsVnc\n");
-		tlsvnc_handshake($vmode, $db);
+	} elsif (exists $sectypes{$rfbSecTypeAnonTls}) {
+		print STDERR "found rfbSecTypeAnonTls\n" if $db;
+		append_handshake("sectype=$rfbSecTypeAnonTls\n");
+		anontls_handshake($vmode, $db);
 	} else {
 		print STDERR "No supported sec-type found\n" if $db;
 		vdie;
@@ -1296,9 +1402,12 @@ sub xfer {
 	close($out);
 }
 '
+	# '
 	# xpg_echo will expand \n \r, etc.
 	# try to unset and then test for it.
-	shopt -u xpg_echo >/dev/null 2>&1
+	if type shopt > /dev/null 2>&1; then
+		shopt -u xpg_echo >/dev/null 2>&1
+	fi
 	v='print STDOUT "abc\n";'
 	echo "$v" > $tf
 	chmod 700 $tf
@@ -1314,6 +1423,67 @@ sub xfer {
 	perl -e 'use IO::Socket::INET; select(undef, undef, undef, 0.01)' >/dev/null 2>&1
 }
 
+# make_tcert is no longer invoked via the ssvnc gui (Listen mode).
+# make_tcert is for testing only now via -mycert BUILTIN
+make_tcert() {
+	tcert="/tmp/ss_vnc_viewer_tcert${RANDOM}.$$"
+	tcert=`mytmp "$tcert"`
+	cat > $tcert <<END
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvkfXxb0wcxgrjV2ziFikjII+ze8iKcTBt47L0GM/c21efelN
++zZpJUUXLu4zz8Ryq8Q+sQgfNy7uTOpN9bUUaOk1TnD7gaDQnQWiNHmqbW2kL+DS
+OKngJVPo9dETAS8hf7+D1e1DBZxjTc1a4RQqWJixwpYj99ixWzu8VC2m/xXsjvOs
+jp4+DLBB490nbkwvstmhmiWm1CmI5O5xOkgioVNQqHvQMdVKOSz9PpbjvZiRX1Uo
+qoMrk+2NOqwP90TB35yPASXb9zXKpO7DLhkube+yYGf+yk46aD707L07Eb7cosFP
+S84vNZ9gX7rQ0UOwm5rYA/oZTBskgaqhtIzkLwIDAQABAoIBAD4ot/sXt5kRn0Ca
+CIkU9AQWlC+v28grR2EQW9JiaZrqcoDNUzUqbCTJsi4ZkIFh2lf0TsqELbZYNW6Y
+6AjJM7al4E0UqYSKJTv2WCuuRxdiRs2BMwthqyBmjeanev7bB6V0ybt7u3Y8xU/o
+MrTuYnr4vrEjXPKdLirwk7AoDbKsRXHSIiHEIBOq1+dUQ32t36ukdnnza4wKDLZc
+PKHiCdCk/wOGhuDlxD6RspqUAlRnJ8/aEhrgWxadFXw1hRhRsf/v1shtB0T3DmTe
+Jchjwyiw9mryb9JZAcKxW+fUc4EVvj6VdQGqYInQJY5Yxm5JAlVQUJicuuJEvn6A
+rj5osQECgYEA552CaHpUiFlB4HGkjaH00kL+f0+gRF4PANCPk6X3UPDVYzKnzmuu
+yDvIdEETGFWBwoztUrOOKqVvPEQ+kBa2+DWWYaERZLtg2cI5byfDJxQ3ldzilS3J
+1S3WgCojqcsG/hlxoQJ1dZFanUy/QhUZ0B+wlC+Zp1Q8AyuGQvhHp68CgYEA0lBI
+eqq2GGCdJuNHMPFbi8Q0BnX55LW5C1hWjhuYiEkb3hOaIJuJrqvayBlhcQa2cGqp
+uP34e9UCfoeLgmoCQ0b4KpL2NGov/mL4i8bMgog4hcoYuIi3qxN18vVR14VKEh4U
+RLk0igAYPU+IK2QByaQlBo9OSaKkcfm7U1/pK4ECgYAxr6VpGk0GDvfF2Tsusv6d
+GIgV8ZP09qSLTTJvvxvF/lQYeqZq7sjI5aJD5i3de4JhpO/IXQJzfZfWOuGc8XKA
+3qYK/Y2IqXXGYRcHFGWV/Y1LFd55mCADHlk0l1WdOBOg8P5iRu/Br9PbiLpCx9oI
+vrOXpnp03eod1/luZmqguwKBgQCWFRSj9Q7ddpSvG6HCG3ro0qsNsUMTI1tZ7UBX
+SPogx4tLf1GN03D9ZUZLZVFUByZKMtPLX/Hi7K9K/A9ikaPrvsl6GEX6QYzeTGJx
+3Pw0amFrmDzr8ySewNR6/PXahxPEuhJcuI31rPufRRI3ZLah3rFNbRbBFX+klkJH
+zTnoAQKBgDbUK/aQFGduSy7WUT7LlM3UlGxJ2sA90TQh4JRQwzur0ACN5GdYZkqM
+YBts4sBJVwwJoxD9OpbvKu3uKCt41BSj0/KyoBzjT44S2io2tj1syujtlVUsyyBy
+/ca0A7WBB8lD1D7QMIhYUm2O9kYtSCLlUTHt5leqGaRG38DqlX36
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArQCCQDSzxzxqhyqLzANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMC
+VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjETMBEG
+A1UEChMKTXkgQ29tcGFueTEcMBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDEZ
+MBcGA1UEAxMQd3d3Lm5vd2hlcmUubm9uZTEhMB8GCSqGSIb3DQEJARYSYWRtaW5A
+bm93aGVyZS5ub25lMB4XDTA3MDMyMzE4MDc0NVoXDTI2MDUyMjE4MDc0NVowgacx
+CzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZC
+b3N0b24xEzARBgNVBAoTCk15IENvbXBhbnkxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2
+ZWxvcG1lbnQxGTAXBgNVBAMTEHd3dy5ub3doZXJlLm5vbmUxITAfBgkqhkiG9w0B
+CQEWEmFkbWluQG5vd2hlcmUubm9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAL5H18W9MHMYK41ds4hYpIyCPs3vIinEwbeOy9BjP3NtXn3pTfs2aSVF
+Fy7uM8/EcqvEPrEIHzcu7kzqTfW1FGjpNU5w+4Gg0J0FojR5qm1tpC/g0jip4CVT
+6PXREwEvIX+/g9XtQwWcY03NWuEUKliYscKWI/fYsVs7vFQtpv8V7I7zrI6ePgyw
+QePdJ25ML7LZoZolptQpiOTucTpIIqFTUKh70DHVSjks/T6W472YkV9VKKqDK5Pt
+jTqsD/dEwd+cjwEl2/c1yqTuwy4ZLm3vsmBn/spOOmg+9Oy9OxG+3KLBT0vOLzWf
+YF+60NFDsJua2AP6GUwbJIGqobSM5C8CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEA
+vGomHEp6TVU83X2EBUgnbOhzKJ9u3fOI/Uf5L7p//Vxqow7OR1cguzh/YEzmXOIL
+ilMVnzX9nj/bvcLAuqEP7MR1A8f4+E807p/L/Sf49BiCcwQq5I966sGKYXjkve+T
+2GTBNwMSq+5kLSf6QY8VZI+qnrAudEQMeJByQhTZZ0dH8Njeq8EGl9KUio+VWaiW
+CQK6xJuAvAHqa06OjLmwu1fYD4GLGSrOIiRVkSXV8qLIUmzxdJaIRznkFWsrCEKR
+wAH966SAOvd2s6yOHMvyDRIL7WHxfESB6rDHsdIW/yny1fBePjv473KrxyXtbz7I
+dMw1yW09l+eEo4A7GzwOdw==
+-----END CERTIFICATE-----
+END
+	chmod 600 $tcert
+	echo "$tcert"
+}
+
 Kecho() {
 	if [ "X$USER" = "Xrunge" ]; then
 		echo "dbg: $*"
@@ -1326,7 +1496,7 @@ if [ "X$use_ssh" = "X1" ]; then
 	#
 	ssh_port="22"
 	ssh_host="$host"
-	vnc_host="localhost"
+	vnc_host="$localhost"
 	# let user override ssh via $SSH
 	ssh=${SSH:-"ssh -x"}
 
@@ -1444,9 +1614,9 @@ if [ "X$use_ssh" = "X1" ]; then
 				u=`echo "$host" | sed -e 's/@.*$/@/'`
 			fi
 			
-			proxy="${u}localhost:$nd"
+			proxy="${u}$localhost:$nd"
 		else
-			proxy="${sproxy1_user}localhost:$nd"
+			proxy="${sproxy1_user}$localhost:$nd"
 		fi
 		if [ "X$sproxy_rest" != "X" ]; then
 			proxy="$proxy,$sproxy_rest"
@@ -1487,7 +1657,7 @@ if [ "X$use_ssh" = "X1" ]; then
 		ssh_args="$ssh_args -o NoHostAuthenticationForLocalhost=yes"
 		sleep 1
 		stty sane
-		proxy="${ssh_user2}localhost:$proxport"
+		proxy="${ssh_user2}$localhost:$proxport"
 	fi
 
 	if [ "X$proxy" != "X" ]; then
@@ -1515,14 +1685,14 @@ if [ "X$use_ssh" = "X1" ]; then
 
 	getport=""
 	teeport=""
-	if echo "$ssh_cmd" | egrep "^(PORT=|P=)" > /dev/null; then
+	if echo "$ssh_cmd" | egrep "(PORT=|P=) " > /dev/null; then
 		getport=1
-		if echo "$ssh_cmd" | egrep "^P=" > /dev/null; then
+		if echo "$ssh_cmd" | egrep "P= " > /dev/null; then
 			teeport=1
 		fi
 
 		PORT=""
-		ssh_cmd=`echo "$ssh_cmd" | sed -e 's/^PORT=[ 	]*//' -e 's/^P=//'`
+		ssh_cmd=`echo "$ssh_cmd" | sed -e 's/PORT=[ 	]*//' -e 's/P=//'`
 		SSVNC_NO_ENC_WARN=1
 		if [ "X$use_sshssl" = "X" ]; then
 			direct_connect=1
@@ -1561,7 +1731,7 @@ if [ "X$use_ssh" = "X1" ]; then
 		tport=`mytmp "$tport"`
 
 		if [ "X$rsh" != "X1" ]; then
-			if echo "$ssh_cmd" | grep -w sudo > /dev/null; then
+			if echo "$ssh_cmd" | grep "sudo " > /dev/null; then
 				echo ""
 				echo "Initial ssh with 'sudo id' to prime sudo so hopefully the next one"
 				echo "will require no password..."
@@ -1634,9 +1804,9 @@ if [ "X$use_ssh" = "X1" ]; then
 			PPROXY_SOCKS=5
 		fi
 		export PPROXY_SOCKS
-		host="localhost"
+		host="$localhost"
 		port="$PORT"
-		proxy="localhost:$use"
+		proxy="$localhost:$use"
 
 	else
 		if [ "X$rsh" != "X1" ]; then
@@ -1665,13 +1835,19 @@ if [ "X$use_ssh" = "X1" ]; then
 
 	c=0
 	pssh=""
-	mssh=`echo "$ssh" | sed -e 's/^env.*ssh/ssh/'`
-	while [ $c -lt 30 ]
+	while [ $c -lt 40 ]
 	do
 		p=`expr $pmark + $c`
-		if ps -p "$p" 2>&1 | grep "$mssh" > /dev/null; then
-			pssh=$p
-			break
+		pout=`ps -p "$p" 2>/dev/null | grep -v '^[ 	]*PID' | sed -e 's/-L.*$//' -e 's/-x .*$//'`
+		if echo "$pout" | grep "ssh" > /dev/null; then
+			if echo "$pout" | egrep -i 'ssh.*(-add|-agent|-ask|-keygen|-argv0|vnc)' >/dev/null; then
+				:
+			elif echo "$pout" | egrep -i 'scp|sshd' >/dev/null; then
+				:
+			else
+				pssh=$p
+				break
+			fi
 		fi
 		c=`expr $c + 1`
 	done
@@ -1697,20 +1873,20 @@ if [ "X$use_ssh" = "X1" ]; then
 		echo "sleep $SSVNC_EXTRA_SLEEP"
 		sleep $SSVNC_EXTRA_SLEEP
 	fi
-	#echo "pssh=\"$pssh\""
+	echo "ssh_pid='$pssh'"; echo
 	if [ "X$use_sshssl" = "X" -a "X$getport" = "X" ]; then
 		echo "Running viewer:"
 
 		trap "final" 0 2 15
 		if [ "X$reverse" = "X" ]; then
-			echo "$VNCVIEWERCMD" "$@" localhost:$N
+			echo "$VNCVIEWERCMD" "$@" $localhost:$N
 			echo ""
-			$VNCVIEWERCMD "$@" localhost:$N
+			$VNCVIEWERCMD "$@" $localhost:$N
 			if [ $? != 0 ]; then
 				echo "vncviewer command failed: $?"
 				if [ "X$secondtry" = "X1" ]; then
 					sleep 2
-					$VNCVIEWERCMD "$@" localhost:$N
+					$VNCVIEWERCMD "$@" $localhost:$N
 				fi
 			fi
 		else
@@ -1734,7 +1910,7 @@ if [ "X$use_ssh" = "X1" ]; then
 		use2=`findfree 5960`
 		host0=$host
 		port0=$port
-		host=localhost
+		host=$localhost
 		port=$use
 		use=$use2
 		N=`expr $use - 5900`
@@ -1760,6 +1936,13 @@ fi
 if [ "X$mycert" != "X" ]; then
 	cert="cert = $mycert"
 fi
+if [ "X$crl" != "X" ]; then
+	if [ -d $crl ]; then
+		crl="CRLpath = $crl"
+	else
+		crl="CRLfile = $crl"
+	fi
+fi
 
 ptmp=""
 if [ "X$proxy" != "X" ]; then
@@ -1769,19 +1952,24 @@ if [ "X$proxy" != "X" ]; then
 	pcode "$ptmp"
 	if [ "X$showcert" != "X1" -a "X$direct_connect" = "X" ]; then
 		if uname | egrep 'Darwin|SunOS' >/dev/null; then
-			# on mac we need to listen on socket instead of stdio:
-			nd=`findfree 6700`
-			PPROXY_LISTEN=$nd
-			export PPROXY_LISTEN
-			if [ "X$reverse" = "X" ]; then
-				#$ptmp 2>/dev/null &
-				$ptmp &
+			vout=`echo "$proxy" | grep -i vencrypt`
+			if [ "X$vout" != "X" -a "X$reverse" = "X1" ]; then
+				# need to exec for reverse vencrypt
+				connect="exec = $ptmp"
+			else
+				# on mac and solaris we need to listen on socket instead of stdio:
+				nd=`findfree 6700`
+				PPROXY_LISTEN=$nd
+				export PPROXY_LISTEN
+				if [ "X$reverse" = "X" ]; then
+					#$ptmp 2>/dev/null &
+					$ptmp &
+				fi
+				sleep 2
+				host="$localhost"
+				port="$nd"
+				connect="connect = $localhost:$nd"
 			fi
-			#sleep 3
-			sleep 2
-			host="localhost"
-			port="$nd"
-			connect="connect = localhost:$nd"
 		else
 			# otherwise on unix we can exec it:
 			connect="exec = $ptmp"
@@ -1803,7 +1991,7 @@ if [ "X$showcert" = "X1" ]; then
 			$ptmp 2>/dev/null &
 		fi
 		sleep 1
-		host="localhost"
+		host="$localhost"
 		port="$use"
 	fi
 	cipher_args=""
@@ -1811,8 +1999,63 @@ if [ "X$showcert" = "X1" ]; then
 		cipher_args=`echo "$ciphers" | sed -e 's/ciphers=/-cipher /'`
 	fi
 	#echo "openssl s_client $cipher_args -connect $host:$port" 
-	openssl s_client $cipher_args -prexit -connect $host:$port 2>&1 < /dev/null
-	rc=$?
+	if [ "X$reverse" = "X" ]; then
+		openssl s_client $cipher_args -prexit -connect $host:$port 2>&1 < /dev/null
+		rc=$?
+	else
+		tcert=""
+		if [ "X$mycert" = "X" ]; then
+			tcert=`make_tcert`
+			cert_args="-cert $tcert -CAfile $tcert"
+		else
+			cert_args="-cert $mycert -CAfile $mycert"
+		fi
+		tmp_out=/tmp/showcert_out${RANDOM}.$$
+		tmp_out=`mytmp "$tmp_out"`
+		tmp_err=/tmp/showcert_err${RANDOM}.$$
+		tmp_err=`mytmp "$tmp_err"`
+
+		#echo "openssl s_server $cipher_args $cert_args -accept $port -verify 2 > $tmp_out 2> $tmp_err" 1>&2
+
+		perl -e "
+			\$p = open(O, \"|openssl s_server $cipher_args $cert_args -accept $port -verify 2 1>$tmp_out 2> $tmp_err\");
+			exit 1 unless \$p;
+			while (1) {
+				sleep 1;
+				if (!open(F, \"<$tmp_out\")) {
+					kill \$p;
+					exit 1;
+				}
+				while (<F>) {
+					if (/RFB 00/) {
+						fsleep(0.25);
+						print O \"RFB 000.000\\n\";
+						fsleep(1.00);
+						kill \$p;
+						fsleep(0.25);
+						exit 0;
+					}
+				}
+				close F;
+			}
+			sub fsleep {
+				select(undef, undef, undef, shift);
+			}
+		";
+
+		echo ""
+		cat $tmp_out
+		echo ""
+		echo "----2----"
+		cat $tmp_err
+		if grep BEGIN.CERTIFICATE $tmp_out >/dev/null; then
+			rc=0
+		else
+			rc=1
+		fi
+
+		rm -f $tmp_out $tmp_err
+	fi
 	if [ "X$SSVNC_PREDIGESTED_HANDSHAKE" != "X" ]; then
 		rm -f $SSVNC_PREDIGESTED_HANDSHAKE
 	fi
@@ -1860,7 +2103,7 @@ if [ "X$direct_connect" != "X" ]; then
 			PPROXY_LISTEN=$use
 			export PPROXY_LISTEN
 		else
-			PPROXY_REVERSE="localhost:$use"
+			PPROXY_REVERSE="$localhost:$use"
 			export PPROXY_REVERSE
 			pps=3
 			if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
@@ -1877,7 +2120,7 @@ if [ "X$direct_connect" != "X" ]; then
 			#echo T sleep 1
 			sleep 1
 		fi
-		host="localhost"
+		host="$localhost"
 		disp="$N"
 		port=`expr $disp + 5900`
 	fi
@@ -1894,7 +2137,7 @@ if [ "X$direct_connect" != "X" ]; then
 				pf=`findfree 5970`
 				cmd="$SSVNC_ULTRA_DSM -$pf $host:$port"
 				pf=`expr $pf - 5900`
-				hostdisp="localhost:$pf"
+				hostdisp="$localhost:$pf"
 				ustr=`echo "$cmd" | sed -e 's/pw=[^ ]*/pw=******/g'`
 				echo "Running:"
 				echo
@@ -1930,7 +2173,7 @@ if [ "X$direct_connect" != "X" ]; then
 			VNCVIEWER_LISTEN_LOCALHOST=1
 			export VNCVIEWER_LISTEN_LOCALHOST
 			dport=`expr 5500 + $disp`
-			cmd="$SSVNC_ULTRA_DSM $dport localhost:$use"
+			cmd="$SSVNC_ULTRA_DSM $dport $localhost:$use"
 			ustr=`echo "$cmd" | sed -e 's/pw=[^ ]*/pw=******/g'`
 			echo "Running:"
 			echo
@@ -1961,69 +2204,10 @@ fi
 tmp_cfg=/tmp/ss_vncviewer${RANDOM}.$$
 tmp_cfg=`mytmp "$tmp_cfg"`
 
-# make_tcert is no longer invoked via the ssvnc gui (Listen mode).
-# make_tcert is for testing only now via -mycert BUILTIN
-make_tcert() {
-	tcert="/tmp/ss_vnc_viewer_tcert${RANDOM}.$$"
-	tcert=`mytmp "$tcert"`
-	cat > $tcert <<END
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvkfXxb0wcxgrjV2ziFikjII+ze8iKcTBt47L0GM/c21efelN
-+zZpJUUXLu4zz8Ryq8Q+sQgfNy7uTOpN9bUUaOk1TnD7gaDQnQWiNHmqbW2kL+DS
-OKngJVPo9dETAS8hf7+D1e1DBZxjTc1a4RQqWJixwpYj99ixWzu8VC2m/xXsjvOs
-jp4+DLBB490nbkwvstmhmiWm1CmI5O5xOkgioVNQqHvQMdVKOSz9PpbjvZiRX1Uo
-qoMrk+2NOqwP90TB35yPASXb9zXKpO7DLhkube+yYGf+yk46aD707L07Eb7cosFP
-S84vNZ9gX7rQ0UOwm5rYA/oZTBskgaqhtIzkLwIDAQABAoIBAD4ot/sXt5kRn0Ca
-CIkU9AQWlC+v28grR2EQW9JiaZrqcoDNUzUqbCTJsi4ZkIFh2lf0TsqELbZYNW6Y
-6AjJM7al4E0UqYSKJTv2WCuuRxdiRs2BMwthqyBmjeanev7bB6V0ybt7u3Y8xU/o
-MrTuYnr4vrEjXPKdLirwk7AoDbKsRXHSIiHEIBOq1+dUQ32t36ukdnnza4wKDLZc
-PKHiCdCk/wOGhuDlxD6RspqUAlRnJ8/aEhrgWxadFXw1hRhRsf/v1shtB0T3DmTe
-Jchjwyiw9mryb9JZAcKxW+fUc4EVvj6VdQGqYInQJY5Yxm5JAlVQUJicuuJEvn6A
-rj5osQECgYEA552CaHpUiFlB4HGkjaH00kL+f0+gRF4PANCPk6X3UPDVYzKnzmuu
-yDvIdEETGFWBwoztUrOOKqVvPEQ+kBa2+DWWYaERZLtg2cI5byfDJxQ3ldzilS3J
-1S3WgCojqcsG/hlxoQJ1dZFanUy/QhUZ0B+wlC+Zp1Q8AyuGQvhHp68CgYEA0lBI
-eqq2GGCdJuNHMPFbi8Q0BnX55LW5C1hWjhuYiEkb3hOaIJuJrqvayBlhcQa2cGqp
-uP34e9UCfoeLgmoCQ0b4KpL2NGov/mL4i8bMgog4hcoYuIi3qxN18vVR14VKEh4U
-RLk0igAYPU+IK2QByaQlBo9OSaKkcfm7U1/pK4ECgYAxr6VpGk0GDvfF2Tsusv6d
-GIgV8ZP09qSLTTJvvxvF/lQYeqZq7sjI5aJD5i3de4JhpO/IXQJzfZfWOuGc8XKA
-3qYK/Y2IqXXGYRcHFGWV/Y1LFd55mCADHlk0l1WdOBOg8P5iRu/Br9PbiLpCx9oI
-vrOXpnp03eod1/luZmqguwKBgQCWFRSj9Q7ddpSvG6HCG3ro0qsNsUMTI1tZ7UBX
-SPogx4tLf1GN03D9ZUZLZVFUByZKMtPLX/Hi7K9K/A9ikaPrvsl6GEX6QYzeTGJx
-3Pw0amFrmDzr8ySewNR6/PXahxPEuhJcuI31rPufRRI3ZLah3rFNbRbBFX+klkJH
-zTnoAQKBgDbUK/aQFGduSy7WUT7LlM3UlGxJ2sA90TQh4JRQwzur0ACN5GdYZkqM
-YBts4sBJVwwJoxD9OpbvKu3uKCt41BSj0/KyoBzjT44S2io2tj1syujtlVUsyyBy
-/ca0A7WBB8lD1D7QMIhYUm2O9kYtSCLlUTHt5leqGaRG38DqlX36
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDzDCCArQCCQDSzxzxqhyqLzANBgkqhkiG9w0BAQQFADCBpzELMAkGA1UEBhMC
-VVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjETMBEG
-A1UEChMKTXkgQ29tcGFueTEcMBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDEZ
-MBcGA1UEAxMQd3d3Lm5vd2hlcmUubm9uZTEhMB8GCSqGSIb3DQEJARYSYWRtaW5A
-bm93aGVyZS5ub25lMB4XDTA3MDMyMzE4MDc0NVoXDTI2MDUyMjE4MDc0NVowgacx
-CzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZC
-b3N0b24xEzARBgNVBAoTCk15IENvbXBhbnkxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2
-ZWxvcG1lbnQxGTAXBgNVBAMTEHd3dy5ub3doZXJlLm5vbmUxITAfBgkqhkiG9w0B
-CQEWEmFkbWluQG5vd2hlcmUubm9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAL5H18W9MHMYK41ds4hYpIyCPs3vIinEwbeOy9BjP3NtXn3pTfs2aSVF
-Fy7uM8/EcqvEPrEIHzcu7kzqTfW1FGjpNU5w+4Gg0J0FojR5qm1tpC/g0jip4CVT
-6PXREwEvIX+/g9XtQwWcY03NWuEUKliYscKWI/fYsVs7vFQtpv8V7I7zrI6ePgyw
-QePdJ25ML7LZoZolptQpiOTucTpIIqFTUKh70DHVSjks/T6W472YkV9VKKqDK5Pt
-jTqsD/dEwd+cjwEl2/c1yqTuwy4ZLm3vsmBn/spOOmg+9Oy9OxG+3KLBT0vOLzWf
-YF+60NFDsJua2AP6GUwbJIGqobSM5C8CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEA
-vGomHEp6TVU83X2EBUgnbOhzKJ9u3fOI/Uf5L7p//Vxqow7OR1cguzh/YEzmXOIL
-ilMVnzX9nj/bvcLAuqEP7MR1A8f4+E807p/L/Sf49BiCcwQq5I966sGKYXjkve+T
-2GTBNwMSq+5kLSf6QY8VZI+qnrAudEQMeJByQhTZZ0dH8Njeq8EGl9KUio+VWaiW
-CQK6xJuAvAHqa06OjLmwu1fYD4GLGSrOIiRVkSXV8qLIUmzxdJaIRznkFWsrCEKR
-wAH966SAOvd2s6yOHMvyDRIL7WHxfESB6rDHsdIW/yny1fBePjv473KrxyXtbz7I
-dMw1yW09l+eEo4A7GzwOdw==
------END CERTIFICATE-----
-END
-	chmod 600 $tcert
-	echo "$tcert"
-}
-
 stunnel_exec=""
-if echo $STUNNEL_EXTRA_SVC_OPTS | grep '#stunnel-exec' > /dev/null; then
+if [ "X$SSVNC_USE_OURS" != "X1" ]; then
+	:
+elif echo $STUNNEL_EXTRA_SVC_OPTS | grep '#stunnel-exec' > /dev/null; then
 	stunnel_exec="#"
 fi
 
@@ -2042,25 +2226,29 @@ if [ "X$reverse" = "X" ]; then
 foreground = yes
 pid =
 client = yes
-debug = 6
+debug = $stunnel_debug
 $ciphers
 $STUNNEL_EXTRA_OPTS
 $STUNNEL_EXTRA_OPTS_USER
-$verify
 $cert
+$crl
+$verify
 
 ${stunnel_exec}[vnc_stunnel]
-${stunnel_exec}accept = localhost:$use
+${stunnel_exec}accept = $localhost:$use
 $connect
 $STUNNEL_EXTRA_SVC_OPTS
 $STUNNEL_EXTRA_SVC_OPTS_USER
 
 END
+
 else
+	# REVERSE case:
+
 	stunnel_exec=""	# doesn't work for listening.
 
 	p2=`expr 5500 + $N`
-	connect="connect = localhost:$p2"
+	connect="connect = $localhost:$p2"
 	if [ "X$cert" = "XBUILTIN" ]; then
 		ttcert=`make_tcert`
 		cert="cert = $ttcert"
@@ -2068,22 +2256,33 @@ else
 	# Note for listen mode, an empty cert will cause stunnel to fail.
 	# The ssvnc gui will have already taken care of this.
 
-	STUNNEL_EXTRA_OPTS=`echo "$STUNNEL_EXTRA_OPTS" | sed -e 's/maxconn/#maxconn/'`
 
 	hloc=""
 	if [ "X$use_ssh" = "X1" ]; then
-		hloc="localhost:"
+		hloc="$localhost:"
+	fi
+	if echo "$proxy" | grep -i '^vencrypt:' > /dev/null; then
+		hloc="$localhost:"
+		pv=`findfree 5570`
+		proxy="vencrypt:$pv:$port"
+		port=$pv
+		if [ "X$anondh_set" = "X1" ]; then
+			# not needed for ANONDH in this mode
+			#ciphers="ciphers = ADH:@STRENGTH"
+			:
+		fi
 	fi
 	cat > "$tmp_cfg" <<END
 foreground = yes
 pid =
 client = no
-debug = 6
+debug = $stunnel_debug
 $ciphers
 $STUNNEL_EXTRA_OPTS
 $STUNNEL_EXTRA_OPTS_USER
-$verify
 $cert
+$crl
+$verify
 
 [vnc_stunnel]
 accept = $hloc$port
@@ -2092,6 +2291,7 @@ $STUNNEL_EXTRA_SVC_OPTS
 $STUNNEL_EXTRA_SVC_OPTS_USER
 
 END
+
 fi
 
 echo ""
@@ -2114,11 +2314,21 @@ if [ "X$stunnel_exec" = "X" ]; then
 	# pause here to let the user supply a possible passphrase for the
 	# mycert key:
 	if [ "X$mycert" != "X" ]; then
-		sleep 1
-		echo ""
-		echo "(** pausing for possible certificate passphrase dialog **)"
-		echo ""
-		sleep 4
+		nsl=10
+		dsl=0
+		if [ ! -f $mycert ]; then
+			dsl=0
+		elif grep -i 'Proc-Type.*ENCRYPTED' "$mycert" > /dev/null 2>/dev/null; then
+			dsl=1
+		fi
+		if [ "X$dsl" = "X1" ]; then
+			echo ""
+			echo "(** pausing $nsl secs for possible certificate passphrase dialog **)"
+			echo ""
+			sleep $nsl
+			echo "(** done pausing for passphrase **)"
+			echo ""
+		fi
 	fi
 	#echo T sleep 1
 	sleep 1
@@ -2133,7 +2343,7 @@ if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
 fi
 echo "Running viewer:"
 if [ "X$reverse" = "X" ]; then
-	vnc_hp=localhost:$N
+	vnc_hp=$localhost:$N
 	if [ "X$stunnel_exec" != "X" ]; then
 		vnc_hp="exec=$STUNNEL $tmp_cfg"
 	fi
@@ -2163,8 +2373,18 @@ else
 	trap "final" 0 2 15
 	echo ""
 	if [ "X$proxy" != "X" ]; then
-		PPROXY_REVERSE="localhost:$port"; export PPROXY_REVERSE
-		PPROXY_SLEEP=1; export PPROXY_SLEEP;
+		if echo "$proxy" | grep -i '^vencrypt:' > /dev/null; then
+			pstunnel=`echo "$proxy" | awk -F: '{print $2}'`
+			plisten=`echo "$proxy" | awk -F: '{print $3}'`
+			PPROXY_LISTEN="INADDR_ANY:$plisten"; export PPROXY_LISTEN
+			PPROXY_PROXY="vencrypt://$localhost:$pstunnel"; export PPROXY_PROXY
+			PPROXY_DEST="$localhost:$pstunnel"; export PPROXY_DEST
+			STUNNEL_ONCE=1; export STUNNEL_ONCE
+			STUNNEL_MAX_CLIENTS=1; export STUNNEL_MAX_CLIENTS
+		else
+			PPROXY_REVERSE="$localhost:$port"; export PPROXY_REVERSE
+			PPROXY_SLEEP=1; export PPROXY_SLEEP;
+		fi
 		PPROXY_KILLPID=+1; export PPROXY_KILLPID;
 		$ptmp &
 	fi
-- 
cgit v1.2.1