TigerVNC and x509 to deal with Diffie-Hellman issue

1,032 views
Skip to first unread message

zwar...@gmail.com

unread,
Sep 2, 2016, 10:46:32 AM9/2/16
to bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients
Dear all,

I am trying to reconnfigure the security types for my TigerVNC server now that Anroid 6.0 has dropped the Diffie-Hellman support.

The given suggestion for x11vnc is not supported by TigerVNC (-ssl -vencrypt nodh:only), and I cannot run the VNC server without any security options.

Hence I followed this manual to generate x509 certificates:
https://groups.google.com/forum/#!topic/bvnc-ardp-aspice-opaque-android-bb10-clients/lINJkYJbN-U

So now I start my VNC server with:
vncserver -SecurityTypes=VeNCrypt,TLSPlain -PlainUsers=ME -x509key vnc_server.pem -x509cert vnc_server.crt

However, I fail to configure bVNC correctly, i.e. I cannot provide x509 keys.

Any idea?

Thanks in advance!

i iordanov

unread,
Sep 10, 2016, 4:52:35 AM9/10/16
to bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients, zwar...@gmail.com
Hi,

What happens if you remove TLSPlain from the list of security types in the command that you use to run the server?

iordan


Sebastiaan Breedveld

unread,
Sep 11, 2016, 3:18:23 PM9/11/16
to i iordanov, bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients, zwar...@gmail.com
It fails with: No valid VeNCrypt sub-type

Sebastiaan Breedveld

unread,
Sep 11, 2016, 5:19:25 PM9/11/16
to i iordanov, bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients, zwar...@gmail.com
Ok, my VNC knowledge got a bit rusty.

This works:
vncserver -SecurityTypes=VeNCrypt,Plain -PlainUsers=ME

VeNCrypt always needs specification of a subtype for user authentication. I use Plain to be authenticated through PAM. TLSPlain uses DH and hence doesn't do the job anymore.

My guess is to use X509Plain now to maintain a decent security. Unfortunately, I cannot find any guide that in detail describes how to setup x509 authentication for VNC.

I have created new certs on the server with:
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout x509_ca.pem -out x509_crl.pem

And invoked vncserver as:
vncserver -SecurityTypes=VeNCrypt,X509Plain -PlainUsers=ME -x509key=x509_ca.pem -x509cert=x509_crl.pem


Unfortunately, the connection fails with:
VeNCrypt setup on the server failed. Please check your certificate if applicable.

Apart from that, I am also unable to establish a connection using another client (on Linux, not Android).



On Sat, 2016-09-10 at 01:52 -0700, i iordanov wrote:

iior...@gmail.com

unread,
Sep 12, 2016, 12:58:03 PM9/12/16
to Sebastiaan Breedveld, bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients, zwar...@gmail.com
Hey,

When you start with Plain instead of x509Plain, were you presented with a dialog to accept a certificate the first time you connected? 

Thanks!
iordan

--
The conscious mind has only one thread of execution.
From: Sebastiaan Breedveld
Sent: Monday, September 12, 2016 00:19
To: i iordanov; bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients
Subject: Re: TigerVNC and x509 to deal with Diffie-Hellman issue

Sebastiaan Breedveld

unread,
Sep 14, 2016, 6:13:24 AM9/14/16
to i iordanov, bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients
I have nothing more to add than to say that this works flawlessly :D

The problem was indeed TigerVNC-1.3, for which x509 doesn't seem to work at all. I am now running version 1.7, which works without problems too.


To understand correctly:
- Host identification works by certificate now
- Stream is encrypted by VeNCrypt

How is my password sent? Encrypted by VeNCrypt or by the x509 key?

Sincerely,
Sebastiaan

On Tue, 2016-09-13 at 09:24 -0400, i iordanov wrote:
Hi Sebastiaan,

I decided to retrace your steps, but on Ubuntu 14.04. I grabbed a binary distribution of tigervnc, unpacked it, ran it with the options we have been discussing and it worked just fine with PAM authentication.

wget https://bintray.com/tigervnc/beta/download_file?file_path=tigervnc-1.6.90.x86_64.tar.gz

tar xf tigervnc-1.6.90.x86_64.tar.gz

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout x509_ca.pem -out x509_crl.pem #accepted all defaults

./tigervnc-1.6.90.x86_64/usr/bin/vncserver -SecurityTypes=VeNCrypt,X509Plain -PlainUsers=MYUSERNAMEHERE -x509key=x509_ca.pem -x509cert=x509_crl.pem

You may need a newer version of TigerVNC? I am not sure.

Cheers!
iordan

On Tue, Sep 13, 2016 at 8:57 AM, Sebastiaan Breedveld <sebas...@zwartoog.nl> wrote:
Yes, I assumed that.

The Desktop TigerVNC (version 1.3) client fails in this case with: "No valid VeNCrypt sub-type"



On Tue, 2016-09-13 at 02:21 +0300, iior...@gmail.com wrote:
Just to confirm, i was talking about doing:


vncserver -SecurityTypes=VeNCrypt,Plain -PlainUsers=ME -x509key=x509_ca.pem -x509cert=x509_crl.pem
so also specifying the key and cert files.

iordan

--
The conscious mind has only one thread of execution.
From: Sebastiaan Breedveld
Sent: Monday, September 12, 2016 22:04
Subject: Re: TigerVNC and x509 to deal with Diffie-Hellman issue

Hi,

No, it just connects, without asking for any certificate.

iior...@gmail.com

unread,
Sep 14, 2016, 6:56:11 AM9/14/16
to Sebastiaan Breedveld, bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients
Your password is sent over an SSL encrypted channel. The X509 certificate is used to prove the identity of the server.

Thanks for confirming that this works for you too! :)

Cheers,
iordan

--
The conscious mind has only one thread of execution.
From: Sebastiaan Breedveld
Sent: Wednesday, September 14, 2016 13:13
To: i iordanov
Cc: bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients
Reply all
Reply to author
Forward
0 new messages