annonymous certificates in tigerVNC 1.9
redh...@gmail.com
I have just compiled the tiger VNC server on Centos 6.9, but when I try to connect to it, while having the 'TLS with anonymous certificates' option enabled I get the error
Authentication faiulure: gnutls_set_priority_direct_failed
Although this is not a complete show stopper since I can disable the annonymous certificates which provide only partial protection, I would still like to understand what I am potentially missing. Plus this option is there by default, which will create some issues when I release to the user base.
One thing to note, is that although compilation of the server was successful, it only created the Xvnc executable, a couple of libraries, and some man files. I got the rest of the environment (vncpasswd, vncserver etc) from the pre-compiled package.
Thanks
Pierre Ossman
> Hello,
> I have just compiled the tiger VNC server on Centos 6.9, but when I try to connect to it, while having the 'TLS with anonymous certificates' option enabled I get the error
> Authentication faiulure: gnutls_set_priority_direct_failed
>
Have you added any extra options?
> Although this is not a complete show stopper since I can disable the annonymous certificates which provide only partial protection, I would still like to understand what I am potentially missing. Plus this option is there by default, which will create some issues when I release to the user base.
>
> One thing to note, is that although compilation of the server was successful, it only created the Xvnc executable, a couple of libraries, and some man files. I got the rest of the environment (vncpasswd, vncserver etc) from the pre-compiled package.
>
The tools are built as part of the normal TigerVNC build in the root of
the tree.
Regards
--
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
redh...@gmail.com
> On 29/08/18 11:28, redh...@gmail.com wrote:
> > Hello,
> > I have just compiled the tiger VNC server on Centos 6.9, but when I try to connect to it, while having the 'TLS with anonymous certificates' option enabled I get the error
> > Authentication faiulure: gnutls_set_priority_direct_failed
> >
>
> Is this error on the server?
>
> Have you added any extra options?
>
> > Although this is not a complete show stopper since I can disable the annonymous certificates which provide only partial protection, I would still like to understand what I am potentially missing. Plus this option is there by default, which will create some issues when I release to the user base.
> >
> > One thing to note, is that although compilation of the server was successful, it only created the Xvnc executable, a couple of libraries, and some man files. I got the rest of the environment (vncpasswd, vncserver etc) from the pre-compiled package.
> >
>
> Unfortunately the Xvnc build is separate as it is a modified Xorg build.
> The tools are built as part of the normal TigerVNC build in the root of
> the tree.
redh...@gmail.com
Xvnc TigerVNC 1.9.0 - built Aug 23 2018 18:00:54
Copyright (C) 1999-2018 TigerVNC Team and many others (see README.rst)
See http://www.tigervnc.org for information on TigerVNC.
Underlying X server release 11704000, The X.Org Foundation
Tue Sep 4 16:55:35 2018
vncext: VNC extension running!
vncext: Listening for VNC connections on all interface(s), port 5903
vncext: Listening for HTTP connections on all interface(s), port 5803
vncext: created VNC server for screen 0
Tue Sep 4 16:55:39 2018
Connections: accepted: 132.158.27.129::53248
SConnection: Client needs protocol version 3.8
SConnection: Client requests security type VeNCrypt(19)
SVeNCrypt: Client requests security type TLSVnc (258)
TLS: GnuTLS priority syntax error at:
SConnection: AuthFailureException: Authentication failure:
gnutls_set_priority_direct failed
Connections: closed: 132.158.27.129::53248 (Authentication failure:
gnutls_set_priority_direct failed)
EncodeManager: Framebuffer updates: 0
EncodeManager: Total: 0 rects, 0 pixels
EncodeManager: 0 B (1:-nan ratio)
TLS: TLS session wasn't terminated gracefully
ComparingUpdateTracker: 0 pixels in / 0 pixels out
ComparingUpdateTracker: (1:-nan ratio)
redh...@gmail.com
Hello Guys,
I did find the solution, and that was to use gnutls3, rather than gnutls2.6 supplied by default centos6. I got gnutls3 from the eple repository. Because the default build was picking libgnutls.so.26 rather than libgnutls.so.30, I had to relink libgnutls.so to point to the 30 version for the building process. After the build was done I reinstated libgnutls.so to its original versiom. ldd is telling me that gnutls.so.30 is used, and I can now used annonymous certificates.
Thanks
Pierre Ossman
>
> Hello Guys,
> I did find the solution, and that was to use gnutls3, rather than gnutls2.6 supplied by default centos6. I got gnutls3 from the eple repository. Because the default build was picking libgnutls.so.26 rather than libgnutls.so.30, I had to relink libgnutls.so to point to the 30 version for the building process. After the build was done I reinstated libgnutls.so to its original versiom. ldd is telling me that gnutls.so.30 is used, and I can now used annonymous certificates.
>
not a big surprise that problems arise when using something older. I'm a
bit surprised it was possible to compile using the older version...
Regards
--
Pierre Ossman Software Development
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc