@ -82,10 +82,12 @@ void print_help(int mode) {
" before startup. Same as -xauth file. See Xsecurity(7), \n "
" xauth(1) man pages for more info. \n "
" \n "
" -N If the X display is :N, try to set the VNC display \n "
" to also be :N This just sets the -rfbport option \n "
" to 5900+N. The program will exit immediately if that \n "
" port is not available. \n "
" -N If the X display is :N, try to set the VNC display to \n "
" also be :N This just sets the -rfbport option to 5900+N \n "
" The program will exit immediately if that port is not \n "
" available. The -N option only works with normal -display \n "
" usage, e.g. :0 or :8, -N is ignored in the -display \n "
" WAIT:..., -create, -find, -svc, -redirect, etc modes. \n "
" \n "
" -autoport n Automatically probe for a free VNC port starting at n. \n "
" The default is to start probing at 5900. Use this to \n "
@ -979,13 +981,13 @@ void print_help(int mode) {
" added to get the actual port), if port < 0 then -port \n "
" is used. \n "
" \n "
" Probably the only reason to use the -redirect option is \n "
" i n conjunction with SSL support, e.g. -ssl, -ssl SAVE.\n "
" Probably the only reason to use the -redirect option \n "
" i s i n conjunction with SSL support, e.g. -ssl SAVE.\n "
" This provides an easy way to add SSL encryption to a VNC \n "
" server that does not support SSL (e.g. Xvnc or vnc.so) \n "
" In fact, the protocol does not even need to be VNC, \n "
" and so \" - ssl SAVE -redirect host:port\" can act as a \n "
" replacement for stunnel(1).\n "
" and so \" - rfbport port1 - ssl SAVE -redirect host:port2 \" \n "
" can act as a replacement for stunnel(1).\n "
" \n "
" This mode only allows one redirected connection. \n "
" The -forever option does not apply. Use -inetd or \n "
@ -1119,6 +1121,9 @@ void print_help(int mode) {
" for the user. This is the only time x11vnc tries to \n "
" actually start up an X server. \n "
" \n "
" It will start looking for an open display number at :20 \n "
" Override via X11VNC_CREATE_STARTING_DISPLAY_NUMBER=n \n "
" \n "
" By default FINDCREATEDISPLAY will try Xdummy and then \n "
" Xvfb: \n "
" \n "
@ -1233,14 +1238,14 @@ void print_help(int mode) {
" -vencrypt mode The VeNCrypt extension to the VNC protocol allows \n "
" encrypted SSL/TLS connections. If the -ssl mode is \n "
" enabled, then VeNCrypt is enabled as well BY DEFAULT \n "
" (they both use the SSL/TLS tunnel, only the protocol\n "
" (they both use a SSL/TLS tunnel, only the protocol\n "
" handshake is a little different.) \n "
" \n "
" To control when and how VeNCrypt is used, specify the \n "
" mode string. If mode is \" never \" , then VeNCrypt is \n "
" not used. If mode is \" support \" (the default) then \n "
" VeNCrypt is supported. If mode is \" only \" , then the \n "
" similar and older TLSVNC protocol is not simultaneously\n "
" similar and older ANON TLS protocol is not simultaneously\n "
" supported. x11vnc's normal SSL mode (vncs://) will be \n "
" supported under -ssl unless you set mode to \" force \" . \n "
" \n "
@ -1250,14 +1255,16 @@ void print_help(int mode) {
" \n "
" To disable all Anonymous Diffie-Hellman access \n "
" (susceptible to Man-In-The-Middle attack) you will need \n "
" to supply \" -vencrypt nodh:support -tlsvnc never \" \n "
" to supply \" -vencrypt nodh:support -anontls never \" \n "
" or \" -vencrypt nodh:only \" \n "
" \n "
" If mode is prefixed with \" newdh: \" , then new Diffie \n "
" Hellman parameters are generated for each connection \n "
" (this can be time consuming: 1-60 secs) rather than \n "
" using the fixed values in the program. Using fixed, \n "
" publicly known values is not known to be a security \n "
" problem. This setting applies to TLSVNC as well. \n "
" (this can be time consuming: 1-60 secs; see -dhparams \n "
" below for a faster way) rather than using the \n "
" fixed values in the program. Using fixed, publicly \n "
" known values is not known to be a security problem. \n "
" This setting applies to ANONTLS as well. \n "
" \n "
" Long example: -vencrypt newdh:nox509:support \n "
" \n "
@ -1270,15 +1277,23 @@ void print_help(int mode) {
" You *MUST* supply the -ssl option for VeNCrypt to be \n "
" active. This option only fine-tunes its operation. \n "
" \n "
" - tlsvnc mode The TLSVNC extension to the VNC protocol allows\n "
" - anon tls mode The ANON TLS extension to the VNC protocol allows\n "
" encrypted SSL/TLS connections. If the -ssl mode is \n "
" enabled, then TLSVNC is enabled as well BY DEFAULT\n "
" (they both use the SSL/TLS tunnel, only the protocol\n "
" enabled, then ANON TLS is enabled as well BY DEFAULT\n "
" (they both use a SSL/TLS tunnel, only the protocol\n "
" handshake is a little different.) \n "
" \n "
" To control when and how TLSVNC is used, specify the \n "
" mode string. If mode is \" never \" , then TLSVNC is not \n "
" used. If mode is \" support \" (the default) then TLSVNC \n "
" ANONTLS is an older SSL/TLS mode introduced by vino. \n "
" \n "
" It is referred to as 'TLS' for its registered VNC \n "
" security-type name, but we use the more descriptive \n "
" 'ANONTLS' here because it provides only Anonymous \n "
" Diffie-Hellman encrypted connections, and hence no \n "
" possibility for certificate authentication. \n "
" \n "
" To control when and how ANONTLS is used, specify the \n "
" mode string. If mode is \" never \" , then ANONTLS is not \n "
" used. If mode is \" support \" (the default) then ANONTLS \n "
" is supported. If mode is \" only \" , then the similar \n "
" VeNCrypt protocol is not simultaneously supported. \n "
" x11vnc's normal SSL mode (vncs://) will be supported \n "
@ -1286,24 +1301,30 @@ void print_help(int mode) {
" \n "
" If mode is prefixed with \" newdh: \" , then new Diffie \n "
" Hellman parameters are generated for each connection \n "
" (this can be time consuming: 1-60 secs) rather than \n "
" using the fixed values in the program. Using fixed, \n "
" publicly known values is not known to be a security \n "
" problem. This setting applies to VeNCrypt as well. \n "
" See the description of \" plain: \" under -vencrypt. \n "
" (this can be time consuming: 1-60 secs; see -dhparams \n "
" below for a faster way) rather than using the \n "
" fixed values in the program. Using fixed, publicly \n "
" known values is not known to be a security problem. \n "
" This setting applies to VeNCrypt as well. See the \n "
" description of \" plain: \" under -vencrypt. \n "
" \n "
" Long example: - tlsvnc newdh:plain:support\n "
" Long example: - anon tls newdh:plain:support\n "
" \n "
" You *MUST* supply the -ssl option for TLSVNC to be\n "
" You *MUST* supply the -ssl option for ANON TLS to be\n "
" active. This option only fine-tunes its operation. \n "
" \n "
" -sslonly Same as: \" -vencrypt never -anontls never \" i.e. it \n "
" disables the VeNCrypt and ANONTLS encryption methods \n "
" and only allows standard SSL tunneling. You must also \n "
" supply the -ssl ... option (see below.) \n "
" \n "
" \n "
" -dhparams file For some operations a set of Diffie Hellman parameters \n "
" (prime and generator) is needed. If so, use the \n "
" parameters in \" file \" . In particular, the VeNCrypt and \n "
" TLSVNC anonymous DH mode need them. By default a \n "
" ANON TLS anonymous DH mode need them. By default a\n "
" fixed set is used. If you do not want to do that you \n "
" can specify \" newdh: \" to the -vencrypt and - tlsvnc \n "
" can specify \" newdh: \" to the -vencrypt and - anon tls\n "
" options to generate a new set each session. If that \n "
" is too slow for you, use -dhparams file to a set you \n "
" created manually via \" openssl dhparam -out file 1024 \" \n "
@ -1325,47 +1346,80 @@ void print_help(int mode) {
" http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-viewers \n "
" x11vnc provides an SSL enabled Java viewer applet in \n "
" the classes/ssl directory (-http or -httpdir options.) \n "
" The SSVNC viewer package supports SSL too. \n "
" The SSVNC viewer package supports SSL tunnels too. \n "
" \n "
" If the VNC Viewer supports VeNCrypt or ANONTLS (vino's \n "
" encryption mode) they are also supported by the -ssl \n "
" mode (see the -vencrypt and -anontls options for more \n "
" info; use -sslonly to disable both of them.) \n "
" \n "
" [pem] is optional, use \" -ssl /path/to/mycert.pem \" to \n "
" specify a PEM certificate file to use to identify and \n "
" U se \" -ssl /path/to/mycert.pem \" to specify an SSL \n "
" certificate file in PEM format to use to identify and\n "
" provide a key for this server. See openssl(1) for more \n "
" info about PEMs and the -sslGenCert and \" -ssl SAVE \" \n "
" options below for how to create them. \n "
" \n "
" The connecting VNC viewer SSL tunnel can (optionally) \n "
" authenticate this server if they have the public key \n "
" part of the certificate (or a common certificate \n "
" authority, CA, is a more sophisticated way to \n "
" verify this server's cert, see -sslGenCA below). \n "
" This is used to prevent Man-In-The-Middle attacks. \n "
" Otherwise, if the VNC viewer accepts this server's \n "
" key WITHOUT verification, the traffic is protected \n "
" from passive sniffing on the network, but *NOT* from \n "
" The connecting VNC viewer SSL tunnel can (at its option) \n "
" authenticate this server if it has the public key part \n "
" of the certificate (or a common certificate authority, \n "
" CA, is a more sophisticated way to verify this server's \n "
" cert, see -sslGenCA below). This authentication is \n "
" done to prevent Man-In-The-Middle attacks. Otherwise, \n "
" if the VNC viewer simply accepts this server's key \n "
" WITHOUT verification, the traffic is protected from \n "
" passive sniffing on the network, but *NOT* from \n "
" Man-In-The-Middle attacks. There are hacker tools \n "
" like dsniff/webmitm and cain that implement SSL \n "
" Man-In-The-Middle attacks. \n "
" \n "
" If [pem] is not supplied and the openssl(1) utility \n "
" If [pem] is empty or the string \" SAVE \" then the \n "
" openssl(1) command must be available to generate the \n "
" certificate the first time. A self-signed certificate \n "
" is generated (see -sslGenCA and -sslGenCert for use \n "
" of a Certificate Authority.) It will be saved to the \n "
" file ~/.vnc/certs/server.pem. On subsequent calls if \n "
" that file already exists it will be used directly. \n "
" \n "
" Use \" SAVE_NOPROMPT \" to avoid being prompted to \n "
" protect the generated key with a passphrase. However in \n "
" -inetd and -bg modes there will be no prompting for a \n "
" passphrase in either case. \n "
" \n "
" If [pem] is \" SAVE_PROMPT \" the server.pem certificate \n "
" will be created based on your answers to its prompts for \n "
" all info such as OrganizationalName, CommonName, etc. \n "
" \n "
" Use \" SAVE-<string> \" and \" SAVE_PROMPT-<string> \" \n "
" to refer to the file ~/.vnc/certs/server-<string>.pem \n "
" instead (it will be generated if it does not already \n "
" exist). E.g. \" SAVE-charlie \" will store to the file \n "
" ~/.vnc/certs/server-charlie.pem \n "
" \n "
" Examples: x11vnc -ssl SAVE -display :0 ... \n "
" x11vnc -ssl SAVE-someother -display :0 ... \n "
" \n "
" If [pem] is \" TMP \" and the openssl(1) utility \n "
" command exists in PATH, then a temporary, self-signed \n "
" certificate will be generated for this session \n "
" (this may take 5-30 seconds on very slow machines). \n "
" If openssl(1) cannot be used to generate a temporary \n "
" certificate x11vnc exits immediately. \n "
" certificate will be generated for this session . If \n "
" openssl(1) cannot be used to generate a temporary \n "
" certificate x11vnc exits immediately. The temporary\n "
" cert will be discarded when x11vnc exits .\n "
" \n "
" If successful in using openssl(1) to generate a \n "
" temporary certificate, the public part of it will be \n "
" displayed to stderr (e.g. one could copy it to the \n "
" client-side to provide authentication of the server to \n "
" VNC viewers.) \n "
" \n "
" NOTE: Unless you safely copy the public part of the \n "
" temporary Cert to the viewer for authenticate *every \n "
" time* (unlikely...), then only passive sniffing \n "
" attacks are prevented and you are still open to \n "
" Man-In-The-Middle attacks. See the following \n "
" paragraphs for how to save keys to reuse them when \n "
" x11vnc is restarted. With saved keys AND the VNC viewer \n "
" authenticating them by using the public certificate, \n "
" then Man-In-The-Middle attacks are prevented. \n "
" temporary certificate in \" SAVE \" or \" TMP \" creation \n "
" modes, the public part of it will be displayed to stderr \n "
" (e.g. one could copy it to the client-side to provide\n "
" authentication of the server to VNC viewers.)\n "
" \n "
" NOTE: In \" TMP \" mode, unless you safely copy the\n "
" public part of the temporary Cert to the viewer for\n "
" authenticate *every time* (unlikely...), then only\n "
" passive sniffing attacks are prevented and you are\n "
" still open to Man-In-The-Middle attacks. This is \n "
" why the default \" SAVE \" mode is preferred (and more \n "
" sophisticated CA mode too). Only with saved keys AND \n "
" the VNC viewer authenticating them (via the public \n "
" certificate), are Man-In-The-Middle attacks prevented.\n "
" \n "
" If [pem] is \" ANON \" then the Diffie-Hellman anonymous \n "
" key exchange method is used. In this mode there \n "
@ -1374,34 +1428,16 @@ void print_help(int mode) {
" Thus only passive network sniffing attacks are avoided: \n "
" the \" ANON \" method is susceptible to Man-In-The-Middle \n "
" attacks. \" ANON \" is not recommended; instead use \n "
" a SSL PEM you created or the \" SAVE \" method in the \n "
" next paragraph. \n "
" \n "
" If [pem] is \" SAVE \" then the certificate will be saved \n "
" to the file ~/.vnc/certs/server.pem, or if that file \n "
" exists it will be used directly. Similarly, if [pem] \n "
" is \" SAVE_PROMPT \" the server.pem certificate will be \n "
" made based on your answers to its prompts for info such \n "
" as OrganizationalName, CommonName, etc. \n "
" \n "
" We expect most users to use \" -ssl SAVE \" . \n "
" \n "
" Use \" SAVE-<string> \" and \" SAVE_PROMPT-<string> \" \n "
" to refer to the file ~/.vnc/certs/server-<string>.pem \n "
" instead. E.g. \" SAVE-charlie \" will store to the file \n "
" ~/.vnc/certs/server-charlie.pem \n "
" \n "
" Examples: x11vnc -ssl SAVE -display :0 ... \n "
" x11vnc -ssl SAVE-other -display :0 ... \n "
" a SSL PEM you created or the defaut \" SAVE \" method. \n "
" \n "
" See -ssldir below to use a directory besides the \n "
" default ~/.vnc/certs \n "
" \n "
" Misc Info: In temporary cert creation mode , set the \n "
" env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print ou t\n "
" the entire certificate, including the PRIVATE KEY part, \n "
" to stderr. There are better ways to get/save this info. \n "
" See \" SAVE \" above and \" -sslGenCert \" below. \n "
" Misc Info: In temporary cert creation mode \" TMP \" , set \n "
" the env. var. X11VNC_SHOW_TMP_PEM=1 to have x11vnc print \n "
" out the entire certificate, including the PRIVATE KEY \n "
" part, to stderr. There are better ways to get/save this \n "
" info. See \" SAVE \" above and \" -sslGenCert \" below. \n "
" \n "
" -ssltimeout n Set SSL read timeout to n seconds. In some situations \n "
" (i.e. an iconified viewer in Windows) the viewer stops \n "
@ -1446,7 +1482,7 @@ void print_help(int mode) {
" \n "
" If [path] is a directory it contains the client (or CA) \n "
" certificates in separate files. If [path] is a file, \n "
" it contains multiple certificates. See special tokens\n "
" it contains one or more certificates. See special tokens\n "
" below. These correspond to the \" CApath = dir \" and \n "
" \" CAfile = file \" stunnel options. See the stunnel(8) \n "
" manpage for details. \n "
@ -1508,19 +1544,19 @@ void print_help(int mode) {
" VNC-ing with x11vnc. (note that they require openssl(1) \n "
" be installed on the system) \n "
" \n "
" However, the simplest usage mode (where x11vnc \n "
" automatically generates its own, self-signed, temporary \n "
" key and the VNC viewers always accept it, e.g. accepting \n "
" via a dialog box) is probably safe enough for most \n "
" scenarios. CA management is not needed.\n "
" However, the simplest usage mode , \" -ssl TMP \" (where\n "
" x11vnc automatically generates its own, self-signed,\n "
" temporary key and the VNC viewers always accept it,\n "
" e.g. accepting via a dialog box) is probably safe enough\n "
" for most scenarios. CA management is not needed.\n "
" \n "
" To protect against Man-In-The-Middle attacks the \n "
" simplest mode can be improved by using \" -ssl SAVE \" \n "
" to have x11vnc create a longer term self-signed \n "
" certificate, and then (safely) copy the corresponding \n "
" public key cert to the desired client machines (care \n "
" must be taken the private key part is not stolen; \n "
" you will be prompted for a passphrase).\n "
" To protect against Man-In-The-Middle attacks the \" TMP \" \n "
" mode can be improved by using \" -ssl SAVE \" (same as \n "
" \" -ssl \" , i.e. the default) to have x11vnc create a\n "
" longer term self-signed certificate, and then (safely)\n "
" copy the corresponding public key cert to the desired\n "
" client machines (care must be taken the private key part\n "
" is not stolen; you will be prompted for a passphrase).\n "
" \n "
" So keep in mind no CA key creation or management \n "
" (-sslGenCA and -sslGenCert) is needed for either of \n "
@ -1547,7 +1583,7 @@ void print_help(int mode) {
" be \" imported \" somehow. Web browsers have \" Manage \n "
" Certificates \" actions as does the Java applet plugin \n "
" Control Panel. stunnel can also use these files (see \n "
" the ss_vncviewer example script in the FAQ .)\n "
" the ss_vncviewer example script in the FAQ and SSVNC .)\n "
" \n "
" -sslCRL path Set the Certificate Revocation Lists (CRL) to \" path \" . \n "
" \n "
@ -3359,6 +3395,8 @@ void print_help(int mode) {
" -setdefer n When the -wait_ui mechanism cuts down the wait time ms, \n "
" set the defer time to the same ms value. n=1 to enable, \n "
" 0 to disable, and -1 to set defer to 0 (no delay). \n "
" Similarly, 2 and -2 indicate 'urgent_update' mode should \n "
" be used to push the updates even sooner. Default: 1 \n "
" -nowait_bog Do not detect if the screen polling is \" bogging down \" \n "
" and sleep more. Some activities with no user input can \n "
" slow things down a lot: consider a large terminal window \n "
@ -3367,10 +3405,11 @@ void print_help(int mode) {
" (3 screen polls in a row each longer than 0.25 sec with \n "
" no user input), and sleep up to 1.5 secs to let things \n "
" \" catch up \" . Use this option to disable that detection. \n "
" -slow_fb time Floating point time in seconds delay all screen polling. \n "
" For special purpose usage where a low frame rate is \n "
" acceptable and desirable, but you want the user input \n "
" processed at the normal rate so you cannot use -wait. \n "
" -slow_fb time Floating point time in seconds to delay all screen \n "
" polling. For special purpose usage where a low frame \n "
" rate is acceptable and desirable, but you want the \n "
" user input processed at the normal rate so you cannot \n "
" use -wait. \n "
" -xrefresh time Floating point time in seconds to indicate how often to \n "
" do the equivalent of xrefresh(1) to force all windows \n "
" (in the viewable area if -id, -sid, or -clip is used) \n "
@ -4356,6 +4395,7 @@ void print_help(int mode) {
" defer:n set -defer to n ms,same as deferupdate:n \n "
" wait:n set -wait to n ms. \n "
" wait_ui:f set -wait_ui factor to f. \n "
" setdefer:n set -setdefer to -2,-1,0,1, or 2. \n "
" wait_bog disable -nowait_bog mode. \n "
" nowait_bog enable -nowait_bog mode. \n "
" slow_fb:f set -slow_fb to f seconds. \n "
@ -4515,15 +4555,15 @@ void print_help(int mode) {
" nowfl wirecopyrect wcr nowirecopyrect nowcr scr_area \n "
" scr_skip scr_inc scr_keys scr_term scr_keyrepeat \n "
" scr_parms scrollcopyrect scr noscrollcopyrect noscr \n "
" fixscreen noxrecord xrecord reset_record pointer_mode \n "
" pm input_skip allinput noallinput input grabkbd\n "
" nograbkbd grabptr nograbptr grabalways nograbalways\n "
" grablocal client_input ssltimeout speeds wmdt\n "
" debug_pointer dp nodebug_pointer nodp debug_keyboard\n "
" dk nodebug_keyboard nodk keycode deferupdate defer\n "
" wait_ ui wait_ bog nowait_bog slow_fb xrefresh wait\n "
" readtimeout nap nonap sb screen_blank fbpm nofbpm dpms\n "
" nodpms clientdpms noclientdpms forcedpms noforcedpms\n "
" fixscreen noxrecord xrecord reset_record pointer_mode pm \n "
" input_skip allinput noallinput input grabkbd no grabkbd\n "
" grabptr nograbptr grabalways nograbalways grablocal \n "
" client_input ssltimeout speeds wmdt debug_pointer dp \n "
" nodebug_pointer nodp debug_keyboard dk no debug_keyboard\n "
" nodk keycode deferupdate defer setdefer wait_ui \n "
" wait_ bog nowait_bog slow_fb xrefresh wait readtimeou t\n "
" nap nonap sb screen_blank fbpm nofbpm dpms no dpms\n "
" clientdpms noclientdpms forcedpms noforcedpms\n "
" noserverdpms serverdpms noultraext ultraext chatwindow \n "
" nochatwindow chaton chatoff fs gaps grow fuzz snapfb \n "
" nosnapfb rawfb uinput_accel uinput_thresh uinput_reset \n "