Android 6.0+ users and AnonTLS / protocols that use Anonymous Diffie Hellman ciphers

[i iordanov]

Unfortunately Google has dropped support for Anonymous Diffie Hellman ciphers needed for encrypted connections to certain servers. This is probably not a bug but intentional.

You will need to switch to SSH or to x509 certificates (if your VNC server supports it) for your security needs.

If using Linux, you can just use the AutoX functionality in bVNC:
Instructions for configuring AutoX

Otherwise, here are some pointers for other VNC servers out there.

For Vino (built into most Linux distributions, mostly used with GNOME ecosystem):

Run the following once on the command-line:
gsettings set org.gnome.Vino require-encryption false

For x11vnc:

Add the options to your command-line:
-ssl -vencrypt nodh:only

For TigerVNC for Linux and Windows:

Either disable all secure methods (not recommended), or generate a certificate and start the server using the certificate. Please note that the instructions below are just something I threw together years ago and if you find something doesn't work for you, feel free to reply to this announcement with corrections:

1) Install OpenSSL. For Windows, get binaries here. For Linux, install it with your distribution's package management utilities.
https://wiki.openssl.org/index.php/Binaries

2) Generate key and cert:
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout server.pem -out server.crt

3a) For Linux, (REPLACE /path/to with actual path) when starting the server, add the following to the parameter list:
      -x509key /path/to/server.pem -x509cert /path/to/server.crt

3b) For Windows, change command-line for server start link (REPLACE c:\path\to\your\ with the actual folder where you generated the files):

"C:\Program Files (x86)\TigerVNC\winvnc4.exe" -x509key c:\path\to\your\server.pem -x509cert c:\path\to\your\server.crt -noconsole

4) For Windows, if running the server as a service, you can edit the registry (thanks phantom.ololo). If you generated your key in C:\Program Files\TigerVNC\:

  a) Run "regedit"
  b) Add the following registry entries to HKEY_LOCAL_MACHINE\SOFTWARE\TigerVNC\WinVNC4

      x509key (reg_sz), value is path to key (C:\Program Files\TigerVNC\server.pem)
      and
      x509cert (reg_sz), value is path to cert (C:\Program Files\TigerVNC\server.crt)

  c) Reboot

For details, see that all anon ciphers have been dropped in API23 and later (Android 6.0+):
http://developer.android.com/reference/javax/net/ssl/SSLEngine.html

[i iordanov]

I've opened an issue for Vino on Ubuntu's launchpad. Everybody who is affected, please report that you're also affected in the issue, and if needed, comment and contribute here:

https://bugs.launchpad.net/ubuntu/+source/vino/+bug/1615251

[phanto...@gmail.com]

4) For Windows, if running the server as a service

Add regisry entries to HKEY_LOCAL_MACHINE\SOFTWARE\TigerVNC\WinVNC4

x509key (reg_sz), value is path to key (C:\Program Files\TigerVNC\server.pem)
and

x509cert (reg_sz), value is path to sert (C:\Program Files\TigerVNC\server.crt)

суббота, 24 октября 2015 г., 20:44:51 UTC+5 пользователь i iordanov написал:

Unfortunately Google has dropped support for Anonymous Diffie Hellman ciphers needed for encrypted connections to certain servers. This is probably not a bug but intentional.

You will need to switch to SSH or to x509 certificates (if your VNC server supports it) for your security needs.

If using Linux, you can just use the AutoX functionality in bVNC:
Instructions for configuring AutoX

Otherwise, here are some pointers for other VNC servers out there.

For Vino (built into most Linux distributions, mostly used with GNOME ecosystem):

Run the following once on the command-line:
gsettings set org.gnome.Vino require-encryption false

For x11vnc:

Add the options to your command-line:
-ssl -vencrypt nodh:only

For TigerVNC for Linux and Windows:

Either disable all secure methods (not recommended), or generate a certificate and start the server using the certificate. Please note that the instructions below are just something I threw together years ago and if you find something doesn't work for you, feel free to reply to this announcement with corrections:

1) Install OpenSSL. For Windows, get binaries here. For Linux, install it with your distribution's package management utilities.
https://wiki.openssl.org/index.php/Binaries

2) Generate key and cert:
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout server.pem -out server.crt

3a) For Linux, (REPLACE /path/to with actual path) when starting the server, add the following to the parameter list:
      -x509key /path/to/server.pem -x509cert /path/to/server.crt

3b) For Windows, change command-line for server start link (REPLACE c:\path\to\your\ with the actual folder where you generated the files):

"C:\Program Files (x86)\TigerVNC\winvnc4.exe" -x509key c:\path\to\your\server.pem -x509cert c:\path\to\your\server.crt -noconsole

4) For Windows, if running the server as a service, you can try editing the registry (untested). As far as I know, the key that needs to change is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinVNC4

  a) Run "regedit"

  b) Search for:
      "C:\Program Files (x86)\TigerVNC\winvnc4.exe" -service

  c) Replace value with (also REPLACE c:\path\to\your\ with the actual folder where you generated the files):
      "C:\Program Files (x86)\TigerVNC\winvnc4.exe" -x509key c:\path\to\your\server.pem -x509cert c:\path\to\your\server.crt -service

  d) Reboot

[1.4...@gmail.com]

Would disabling all secure methods for TigerVNC make sense if one is connecting to one such a VNC server over SSH alone? That is, one could not connect to that server by any other means - SSH must be used.

[i iordanov]

It depends on whether you trust the SSH protocol fully. If you wanted to have a second layer of defence, you can use VeNCrypt on the TigerVNC server. The additional encryption will add some overhead but will preserve privacy and verify identity if the SSH client or server is compromised.

Cheers!

iordan

--
You received this message because you are subscribed to the Google Groups "bVNC, aRDP, aSPICE, Opaque Android and BB10 Remote Desktop Clients" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bvnc-ardp-aspice-opaque-andr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bvnc-ardp-aspice-opaque-android-bb10-clients/ae545f8a-9cef-469a-8471-6707778b6182%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

The conscious mind has only one thread of execution.

[JCA]

Thanks. The SSH protocol is solid enough all right, so I think that starting the TigerVNC server in the situation I described would not be inappropriate. At any rate, I just noticed that setting securitytypes to vncauth in the TigerVNC allows me to get around the Anonymous DH problem, which is what I wanted to achieve - certificates are a bit of a pain the neck, which I don't really want to deal with unless I have no choice. Since vncauth seems to have a negligible performance impact, I am happy to secure my bVNC connections with both SSH and vncauth.