From: n0g0013 <tt...@co...> - 2007-10-31 11:14:17
|
On 31.10-09:35, Constantin Kaplinsky wrote: [ ... ] > > For testing, running the server though stunnel is sufficient. I can > > post instructions for setting this up if anyone cares. > > Yes, I would appreciate if you could send the instructions. these instructions are not for 'stunnel', they are for 'socat' but perhaps this will be useful for others. generate/save the relevant SSL certificates where you like, for example <cafile> /etc/ssl/certs/ca.pem Certificate Authority PEM certificate <cert> /etc/ssl/certs/vnc.pem VNC service certificate <key> /etc/ssl/private/vnc.key VNC private key file if you generate a self-signed certificate with the key included i guess(?) these could all be the same file. you then start 'socat' in a method of your choosing (e.g. rc script, manually) as follows socat \ "OPENSSL-LISTEN:5900,fork,verify=0,\ cafile=<cafile>,\ key=<key>,\ certificate=<cert>" \ TCP4:localhost:5950 n.b: above formatting may not execute, each parameter must be single argument (i think) (quotes may work). the "fork" tells socat to act like a server forking for each connection and the "verify=0" to allow any client connection. the first parameter is the SSL listening connection (in this case the default 5900 port) which is then piped to the second parameter (in this case a localhost connection on port 5950). this can be used to connect to any working VNC connection over SSL. if you are using my patch you will need to copy the DER encoded certificate into the TrustedCertificate class and re-build the viewer. this can be captured with the following command sed -e \ '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/ ! d' \ < cafile \ | sed -e 's/$/\\n" +/' \ | sed -e 's/^/"/' \ >TrustedCertificates.java n.b: these sed commands should make it simpler to edit the 'TrustedCertificates.java' file but it doesn't eliminate the need rebuild with make upload the new 'VncViewer.jar' and away you go. you should also be able to import only the root certificate (if you have one) which will allow you to connect to any SSL wrapped VNC service using a properly signed certificate (i.e. your own (or any other) CA, not one of the known, default, trusted CAs). -- t t w |