Authentication failure: load of CRL failed - Using x509 certificate and x0tigervncserver

891 views
Skip to first unread message

psilospiral

unread,
Nov 22, 2018, 7:53:46 PM11/22/18
to TigerVNC User Discussion/Support
Greetings forum:

Currently running x0tigervncserver on a Debian 9.6 box and accessing it via Win10 installation of TigerVNCViewer 32-bit v1.9.0

When running on the server with:
x0tigervncserver -PasswordFile=/home/me/.vnc/passwd -rfbport=5912

and Win10 client with:
TigerVNCViewer settings of VNC server: [server ip address]:5912 and everything else default,

I can access the remote x0tigervncserver perfectly and everything works great...

Now I want to add x509 security. After generating key and certificate and pointing to them on both sides, I receive "Authentication failure: load of CRL failed" from the Win10 client.

I am not sure what I am doing wrong. Here are the steps I am taking from the point where my x0tigervncserver config is working fine to using certificates:

generating key and certificate on Debian box:
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout x509_ca.pem -out x509_crl.pem

The x509_ca.pem contains "-----BEGIN PRIVATE KEY-----" and the x509.crl.pem contains "-----BEGIN CERTIFICATE-----"

I then start x0tigervncserver with:

x0tigervncserver -SecurityTypes=X509Vnc -X509Cert=/home/me/x509_crl.pem -X509Key=/home/me/x509_ca.pem -rfbport=5912

In the Win10 client, I point to copies of these exact two same files under the security tab with my x509_ca.pem file under "Path to X509 CA certificate" and my x509_crl.pem file under "Path to X509 CRL file"

I have tried leaving my original -PasswordFile=/home/me/.vnc.passwd parameter in the command, but receive the same "Authentication failure: load of CRL failed" from the Win10 client rather the passwd file is called or not.

What am I doing wrong?!?

Brian Hinz

unread,
Nov 22, 2018, 8:40:39 PM11/22/18
to TigerVNC User Discussion/Support, psilospiral
You’re attempting to use a certificate file as a certificate revocation list.  In the case that you have described, x509_ca.pem is the server’s private key and should not be distributed to clients. x509_crl.pem is actually the server’s certificate (or public key).  Since it is self-signed, it also constitutes the CA’s public key.  So use x509_crl.pem for the client’s “Path to X509 CA certificate” and leave “Path to X509 CRL file” blank and it should work.

-brian

--
You received this message because you are subscribed to the Google Groups "TigerVNC User Discussion/Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tigervnc-user...@googlegroups.com.
To post to this group, send email to tigervn...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tigervnc-users/a52f64b6-c076-4767-ab13-525e54e6c96a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

psilospiral

unread,
Nov 22, 2018, 9:49:04 PM11/22/18
to TigerVNC User Discussion/Support
Brian:

You are exactly correct!  I used the x509_crl.pem file for the client's "Path to X509 CA certificate" and removed the file & path from "Path to X509 CRL file" and it connected to the server.  Thank you sir!

I further tested security by corrupting the x509_crl.pem file 1 character at a time.  On the third character edited (separate lines), it finally responded "Authentication failure: load of CA cert failed"  Reverting solved the issue.

My box is much more secure now.  Thank you again, Brian.



Reply all
Reply to author
Forward
0 new messages