Re: Vnc Server SSL
Brought to you by:
anton19286,
const_k
From: <osc...@pr...> - 2011-01-11 17:46:14
|
Folks, To follow up on this, I made some progress, but the result is not complete. My approach was to modify the windows TightVNC 1.3.10 sources (*1) to include an OpenSSL client. I used version openssl-1.0.0c.tar.gz (*2). I added SSL initialization code to VSocket::Create, replaced the socket level read/write functions in VSocket::Send and VSocket::Read (send/recv winsock.h functions) with SSL_write and SSL_read. It is a very simple approach that was able to complete the SSL handshake (remote certificate acceptance) and begin communications. However at some point during the next few Vnc Server updates, I/O would halt. Looking deeper into the sources led me to consider the VSocket queues (SendFromQueue and SendQueued), and that the SSL_write and SSL_read are not exact drop in replacements. For a test bench, I used Stunnel, configured as a server, and VncReflector, as well as tcpdump to monitor unencrypted packets. I would connect via "Add New Client..." server option. I could build (compile) both source projects in debug and release mode, as well as step through and line by line and execute via MS Visual Studio 2005 debugger. I have decided to use stunnel on windows as an interim solution. The source code mods probably should have been made to the latest version of TightVNC, but for reasons of convenience, I used the earlier version. HTH Refs: *1 http://www.tightvnc.com/download/1.3.10/tightvnc-1.3.10_winsrc.zip *2 http://www.openssl.org/source/openssl-1.0.0c.tar.gz $ diff VSocket.cpp VSocket.cpp.orig 155,159d154 < // SSL initialize < SSLeay_add_ssl_algorithms(); < SSL_load_error_strings(); < ctx = SSL_CTX_new (SSLv3_client_method()); < 186,188d180 < // SSL < SSL_shutdown (ssl); /* send SSL/TLS close_notify */ < 199,207d190 < < // SSL < if (server_cert != 0) < { < X509_free (server_cert); < } < SSL_free (ssl); < SSL_CTX_free (ctx); < 329,333d311 < ssl = SSL_new (ctx); < SSL_set_fd (ssl, sock); < err = SSL_connect (ssl); < server_cert = SSL_get_peer_certificate (ssl); < 534,539c512,513 < // VInt bytes = send(sock, buff, bufflen, 0); < err = SSL_write(ssl, buff, bufflen); < vnclog.Print(LL_SOCKERR, VNCLOG("SSL_write %d\n"), err); < < // if (bytes < 0) < if (err == 0xffffffff) --- > VInt bytes = send(sock, buff, bufflen, 0); > if (bytes < 0) 553d526 < err = -1; 556,557c529 < return err; < //return bytes; --- > return bytes; 659,661c631 < //VInt bytes = recv(sock, buff, bufflen, 0); < err = SSL_read (ssl, buff, bufflen); < vnclog.Print(LL_SOCKERR, VNCLOG("SSL_read %d\n"), err); --- > VInt bytes = recv(sock, buff, bufflen, 0); 664,665c634 < // if (bytes < 0 && WSAGetLastError() == WSAEWOULDBLOCK) < if (err == 0xffffffff && WSAGetLastError() == WSAEWOULDBLOCK) { --- > if (bytes < 0 && WSAGetLastError() == WSAEWOULDBLOCK) 667,668d635 < err = -1; < } 671,672c638 < return err; < //return bytes; --- > return bytes; $ diff VSocket.h VSocket.h.orig 43,58d42 < #if (!defined(_SSL_DEFINED)) < #define _SSL_DEFINED < < //////////////////////////////////////////////////////// < // SSL includes < < extern "C" { < #include <openssl/crypto.h> < #include <openssl/x509.h> < #include <openssl/pem.h> < #include <openssl/ssl.h> < #include <openssl/err.h> < } < < #endif < 189,194d172 < < // SSL < SSL_CTX* ctx; < SSL* ssl; < X509* server_cert; < int err; -----Original Message----- From: osc...@pr... To: vnc...@li... Cc: osc...@pr... Sent: Fri, Dec 24, 2010 9:12 am Subject: Vnc Server SSL Folks, Is there a version of the win32 vnc server that implements SSL connections? I am looking for a version that uses something like OpenSSL to initiate outgoing connections, with VncReflector running somewhere in the middle. This is a special case situation because most users would initiate an outgoing connection to a remote vnc viewer instead. I am also looking for pointers to a version that utilizes SSLeay32.dll to create secure socket connections to and from vnc viewers. If not I will probably work on developing something similar along these lines (vnc server making outgoing 'Add New Client' function because I have a work related project needing such an implementation. I will post back a pointer to the source code. >From searching I have found some versions that are implementing 'Use SSL', 'Use SSH', and 'SSH + SSL'. http://www.karlrunge.com/x11vnc/ssvnc.html Thanks |