TigerVNC and x509 to deal with Diffie-Hellman issue

[zwar...@gmail.com]

Dear all,

I am trying to reconnfigure the security types for my TigerVNC server now that Anroid 6.0 has dropped the Diffie-Hellman support.

The given suggestion for x11vnc is not supported by TigerVNC (-ssl -vencrypt nodh:only), and I cannot run the VNC server without any security options.

Hence I followed this manual to generate x509 certificates:
https://groups.google.com/forum/#!topic/bvnc-ardp-aspice-opaque-android-bb10-clients/lINJkYJbN-U

So now I start my VNC server with:
vncserver -SecurityTypes=VeNCrypt,TLSPlain -PlainUsers=ME -x509key vnc_server.pem -x509cert vnc_server.crt

However, I fail to configure bVNC correctly, i.e. I cannot provide x509 keys.

Any idea?

Thanks in advance!

[i iordanov]

Hi,

What happens if you remove TLSPlain from the list of security types in the command that you use to run the server?

iordan

[Sebastiaan Breedveld]

It fails with: No valid VeNCrypt sub-type

[Sebastiaan Breedveld]

Ok, my VNC knowledge got a bit rusty.

This works:

vncserver -SecurityTypes=VeNCrypt,Plain -PlainUsers=ME

VeNCrypt always needs specification of a subtype for user authentication. I use Plain to be authenticated through PAM. TLSPlain uses DH and hence doesn't do the job anymore.

My guess is to use X509Plain now to maintain a decent security. Unfortunately, I cannot find any guide that in detail describes how to setup x509 authentication for VNC.

I have created new certs on the server with:

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout x509_ca.pem -out x509_crl.pem

And invoked vncserver as:

vncserver -SecurityTypes=VeNCrypt,X509Plain -PlainUsers=ME -x509key=x509_ca.pem -x509cert=x509_crl.pem

Unfortunately, the connection fails with:

VeNCrypt setup on the server failed. Please check your certificate if applicable.

Apart from that, I am also unable to establish a connection using another client (on Linux, not Android).

On Sat, 2016-09-10 at 01:52 -0700, i iordanov wrote:

[iior...@gmail.com]

Hey,

When you start with Plain instead of x509Plain, were you presented with a dialog to accept a certificate the first time you connected? 

Thanks!

iordan

--
The conscious mind has only one thread of execution.

From: Sebastiaan Breedveld Sent: Monday, September 12, 2016 00:19 To: i iordanov; bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients Cc: zwar...@gmail.com Subject: Re: TigerVNC and x509 to deal with Diffie-Hellman issue

[Sebastiaan Breedveld]

I have nothing more to add than to say that this works flawlessly :D

The problem was indeed TigerVNC-1.3, for which x509 doesn't seem to work at all. I am now running version 1.7, which works without problems too.

To understand correctly:

- Host identification works by certificate now

- Stream is encrypted by VeNCrypt

How is my password sent? Encrypted by VeNCrypt or by the x509 key?

Sincerely,

Sebastiaan

On Tue, 2016-09-13 at 09:24 -0400, i iordanov wrote:

Hi Sebastiaan,

I decided to retrace your steps, but on Ubuntu 14.04. I grabbed a binary distribution of tigervnc, unpacked it, ran it with the options we have been discussing and it worked just fine with PAM authentication.

wget https://bintray.com/tigervnc/beta/download_file?file_path=tigervnc-1.6.90.x86_64.tar.gz

tar xf tigervnc-1.6.90.x86_64.tar.gz

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout x509_ca.pem -out x509_crl.pem #accepted all defaults

./tigervnc-1.6.90.x86_64/usr/bin/vncserver -SecurityTypes=VeNCrypt,X509Plain -PlainUsers=MYUSERNAMEHERE -x509key=x509_ca.pem -x509cert=x509_crl.pem

You may need a newer version of TigerVNC? I am not sure.

Cheers!

iordan

On Tue, Sep 13, 2016 at 8:57 AM, Sebastiaan Breedveld <sebas...@zwartoog.nl> wrote:

Yes, I assumed that.

The Desktop TigerVNC (version 1.3) client fails in this case with: "No valid VeNCrypt sub-type"

On Tue, 2016-09-13 at 02:21 +0300, iior...@gmail.com wrote:

Just to confirm, i was talking about doing:

vncserver -SecurityTypes=VeNCrypt,Plain -PlainUsers=ME -x509key=x509_ca.pem -x509cert=x509_crl.pem

so also specifying the key and cert files.

iordan

--
The conscious mind has only one thread of execution.

From: Sebastiaan Breedveld Sent: Monday, September 12, 2016 22:04 To: iior...@gmail.com

Subject: Re: TigerVNC and x509 to deal with Diffie-Hellman issue

Hi,

No, it just connects, without asking for any certificate.

[iior...@gmail.com]

Your password is sent over an SSL encrypted channel. The X509 certificate is used to prove the identity of the server.

Thanks for confirming that this works for you too! :)

Cheers,

iordan

--
The conscious mind has only one thread of execution.

From: Sebastiaan Breedveld Sent: Wednesday, September 14, 2016 13:13 To: i iordanov Cc: bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients