#21 broken ssl support in 0.8.4 java applet

closed-fixed
None
5
2007-11-27
2007-03-24
No

When using stunnel to protect vnc server, 0.8.4 java applet does not work. 0.8.3 works.

With 0.8.3, applet displays certification verify dialog and works fine, 0.8.4 displays "Status: Connecting to xxx.net, port 6105..." in the applet. I also tried 0.8.5 downloaded from www.karlrunge.com, it was the same as 0.8.4.

Java console shows this:
-----------------
urlPrefix: ''
SecurityManager restricts session recording.
Initializing...
Connecting to x.xx.net, port 6105...
new SSLSocketToMe
SSL startup: x.xx.net 6105
ustr is: https://x.xx.net:6105/check.https.proxy.connection
network: Connecting https://x.xx.net:6105/check.https.proxy.connection with proxy=DIRECT
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Checking if certificate is in Deployment session certificate store
security: Checking if SSL certificate is in Deployment permanent certificate store
set trusturlCerts to non-null
network: Connecting http://x.xx.net:6105/index.vnc with proxy=DIRECT
-----------------

stunnel log on server:
-----------------
2007.03.24 22:49:18 LOG3[27445:1076919216]: SSL_read: Connection reset by peer (104)
2007.03.24 22:49:18 LOG5[27445:1076919216]: Connection reset: 30 bytes sent to SSL, 13 bytes sent to socket
2007.03.24 22:49:18 LOG5[27445:1076919216]: vnc-local connected from x.x.x.x:3790
2007.03.24 22:49:18 LOG6[27445:1076919216]: SSL accepted: new session negotiated
2007.03.24 22:49:18 LOG6[27445:1076919216]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
2007.03.24 22:49:18 LOG6[27445:1076919216]: SSL_shutdown successfully sent close_notify
2007.03.24 22:49:18 LOG5[27445:1076919216]: Connection closed: 12 bytes sent to SSL, 286 bytes sent to socket
2007.03.24 22:49:18 LOG5[27445:1076919216]: vnc-local connected from x.x.x.x:3791
2007.03.24 22:49:18 LOG3[27445:1076919216]: SSL_accept: 1407609C: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
-----------------

The last line corresponds with the last line from java console output.

Certificate used in stunnel is self-signed, created with "openssl req -new -x509 -days 1000 -nodes".

html code used to launch applet:
<APPLET CODE="VncViewer.class" ARCHIVE="VncViewer.jar" WIDTH="800" HEIGHT="600">
<PARAM NAME="PORT" VALUE="6105">
<PARAM NAME="Restricted colors" VALUE="Yes">
<PARAM NAME="disableSSL" VALUE="no">
</APPLET>

Discussion

  • Johannes Schindelin

    Logged In: YES
    user_id=27066
    Originator: NO

    Unfortunately, I have no idea and no time to check this out. Karl?

     
  • Johannes Schindelin

    • assigned_to: nobody --> runge
     
  • Karl J. Runge

    Karl J. Runge - 2007-04-01

    Logged In: YES
    user_id=219571
    Originator: NO

    Hi,

    Please show me the full x11vnc command you ran
    and its full output.

    Also tell me the URL you put into the web
    browser, and if there are actually any proxies
    involved (I'd guess not from the output).

    My java console output doesn't look like yours
    with the "network:" and proxy=DIRECT strings.
    So please tell me the java version and vendor,
    and ditto for web browser and OS.

    Also let me know about which, if any,
    certificates have been accepted permanently, etc.
    And any other messages that come up in the applet
    gui components, say.

    I cannot reproduce the problem here. It connects
    fine if I point x11vnc to the classes/ssl dir
    via -httpdir, and start up an stunnel redir to
    x11vnc and connect from web brower on a different
    machine to http://hostname:5800 and the indev.vnc
    PORT goes to stunnel port.

    I have uploaded to my site a x11vnc-0.8.5.tar.gz
    for you to try. It has an "ignoreProxy" applet
    parameter you should set to "yes":

    <param name="ignoreProxy" value="yes">

    this will skip the proxy checking (the part
    we see in the your java console output), and
    so perhaps will avoid the problem. I'd prefer
    doing this automatically, but let's first see
    if this provides a workaround.

    Let me know how it goes.

    Karl

     
  • Viljo Viitanen

    Viljo Viitanen - 2007-04-02

    Logged In: YES
    user_id=90226
    Originator: YES

    I'm not using the x11vnc server, only the java applet set up manually (without index.vnc etc.), so I believe urls won't help in this case (I can provide a test setup, if you wish. Contact me privately). My server is debian package vnc4server, version 4.0-8. Proxies aren't involved.

    No certificates have been accepted permanently. In the non-working case, the applet gives no gui messages at all, other than writing "Status: Connecting to xxx...". When working, the applet pops up the "VNC Server xxx.net:port Not Verified" dialog after displaying "Status: Connecting to xxx....".

    My browser is Firefox (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3) on Windows XP SP2, Java is from Sun, Version 1.5.0 (build 1.5.0_11-b03).

    Using your newest binary and the ignoreProxy parameter fixed the problem.

     
  • Karl J. Runge

    Karl J. Runge - 2007-11-27
    • status: open --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks