You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
libtdevnc/classes/ssl
runge 81c05e4a2c
update classes/ssl jars, patches, and script
14 years ago
..
Makefile.am classes/ssl: improve timeouts, port fallback, and connection time. 17 years ago
README classes/ssl: Many improvements to Java SSL applet, onetimekey 15 years ago
SignedUltraViewerSSL.jar update classes/ssl jars, patches, and script 14 years ago
SignedVncViewer.jar update classes/ssl jars, patches, and script 14 years ago
UltraViewerSSL.jar update classes/ssl jars, patches, and script 14 years ago
VncViewer.jar update classes/ssl jars, patches, and script 14 years ago
index.vnc misc/etv sync. 15 years ago
onetimekey classes/ssl: Many improvements to Java SSL applet, onetimekey 15 years ago
proxy.vnc misc/etv sync. 15 years ago
ss_vncviewer update classes/ssl jars, patches, and script 14 years ago
tightvnc-1.3dev7_javasrc-vncviewer-cursor-colors+no-tab-traversal.patch SSL patch for Java viewer. https support for x11vnc. 19 years ago
tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch update classes/ssl jars, patches, and script 14 years ago
ultra.vnc misc/etv sync. 15 years ago
ultraproxy.vnc misc/etv sync. 15 years ago
ultrasigned.vnc misc/etv sync. 15 years ago
ultravnc-102-JavaViewer-ssl-etc.patch update classes/ssl jars, patches, and script 14 years ago

README

This directory contains a patched Java applet VNC viewer that is SSL
enabled.

The patches in the *.patch files are relative to the source tarball:

	tightvnc-1.3dev7_javasrc.tar.gz  

currently (4/06) available here:

   http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download

It also includes some simple patches to:

	- fix richcursor colors

	- make the Java Applet cursor (not the cursor drawn to the canvas
	  framebuffer) invisible when it is inside the canvas.

	- allow Tab (and some other) keystrokes to be sent to the vnc
	  server instead of doing widget traversal.


This SSL applet should work with any VNC viewer that has an SSL tunnel in
front of it.  It has been tested on x11vnc and using the stunnel tunnel
to other VNC servers.

By default this Vnc Viewer will only do SSL.  To do unencrypted traffic
see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).

Proxies: they are a general problem with java socket applets (a socket
connection does not go through the proxy).  See the info in the proxy.vnc
file for a workaround.  It uses SignedVncViewer.jar which is simply
a signed version of VncViewer.jar.  The basic idea is the user clicks
"Yes" to trust the applet and then it can connect directly to the proxy
and issue a CONNECT request.

This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
Java plugin.  It may not work on older releases or different vendor VM's.
Send full Java Console output for failures.

---------------------------------------------------------------
Tips:

When doing single-port proxy connections (e.g. both VNC and HTTPS
thru port 5900) it helps to move through the 'do you trust this site'
dialogs quickly.   x11vnc has to wait to see if the traffic is VNC or
HTTP and this can cause timeouts if you don't move thru them quickly.

You may have to restart your browser completely if it gets into a
weird state.  For one case we saw the JVM requesting VncViewer.class
even when no such file exists.


---------------------------------------------------------------
Extras:

ss_vncviewer (not Java):

        Wrapper script for native VNC viewer to connect to x11vnc in
        SSL mode.  Script launches stunnel(8) and then connects to it
        via localhost which in turn is then redirected to x11vnc via an
        SSL tunnel.  stunnel(8) must be installed and available in PATH.


Running Java SSL VncViewer from the command line:

	From this directory:

	java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>

	substitute <thehost> and <theport> with the actual values.
	You can add any other parameters, e.g.: ignoreProxy yes

---------------------------------------------------------------
UltraVNC:

The UltraVNC java viewer has also been patched to support SSL.  Various
bugs in the UltraVNC java viewer were also fixed.  This viewer can be
useful because is support UltraVNC filetransfer, and so it works on
Unix, etc.

UltraViewerSSL.jar
SignedUltraViewerSSL.jar
ultra.vnc
ultraproxy.vnc
ultravnc-102-JavaViewer-ssl-etc.patch

---------------------------------------------------------------
Applet Parameters:

Some additional applet parameters can be set via the URL, e.g.

	http://host:5800/?param=value
	http://host:5800/ultra.vnc?param=value
	https://host:5900/ultra.vnc?param=value

etc.  If running java from command line as show above, it comes
in as java ... VncViewer param value ... 

There is a limitation with libvncserver that param and value can
only be alphanumeric, underscore, "+" (for space), or "."

We have added some applet parameters to the stock VNC java
viewers.  Here are the applet parameters:

Both TightVNC and UltraVNC Java viewers:

  HOST
	string, default: none.
	The Hostname to connect to.
	
  PORT
	number, default: 0
	The VNC server port to connect to.

  Open New Window
	yes/no, default: no
	Run applet in separate frame.

  Show Controls
	yes/no, default: yes
	Show Controls button panel.

  Show Offline Desktop
	yes/no, default: no
	Do we continue showing desktop on remote disconnect?

  Defer screen updates
	number, default: 20
	Milliseconds delay

  Defer cursor updates
	number, default: 10
	Milliseconds delay

  Defer update requests
	number, default: 50
	Milliseconds delay

  PASSWORD
	string, default: none
	VNC session password in plain text.

  ENCPASSWORD
	string, default: none
	VNC session password in encrypted in DES with KNOWN FIXED
	key.  It is a hex string.  This is like the ~/.vnc/passwd format.
  
  
  The following are added by x11vnc and/or ssvnc project
  
  VNCSERVERPORT
	number, default: 0
	Like PORT, but if there is a firewall this is the Actual VNC
	server port.  PORT might be a redir port on the firewall.

  DisableSSL
	yes/no, default: no
	Do unencrypted connection, no SSL. 

  httpsPort
	number, default: none
	When checking for proxy, use this at the url port number.

  CONNECT
	string, default: none
	Sets to host:port for the CONNECT line to a Web proxy. 
	The Web proxy should connect us to it.

  GET
	yes/no, default: no
	Set to do a special HTTP GET (/request.https.vnc.connection)
	to the vnc server that will cause it to switch to VNC instead.
	This is to speedup/make more robust, the single port HTTPS and VNC
	mode of x11vnc (e.g. both services thru port 5900, etc) 
	
  urlPrefix
	string, default: none
	set to a string that will be prefixed to all URL's when contacting
	the VNC server.  Idea is a special proxy will use this to indicate
	internal hostname, etc.

  oneTimeKey
	string, default: none
	set a special hex "key" to correspond to an SSL X.509 cert+key.
	See the 'onetimekey' helper script.  Can also be PROMPT to prompt
	the user to paste the hex key string in.

	This provides a Client-Side cert+key that the client will use to
	authenticate itself by SSL To the VNC Server.

	This is to try to work around the problem that the Java applet
	cannot keep an SSL keystore on disk, etc.  E.g. if they log
	into an HTTPS website via password they are authenticated and
	encrypted, then the website can safely put oneTimeKey=... on the
	URL.  The Vncviewer authenticates the VNC server with this key.

	Note that there is currently a problem in that if x11vnc requires
	Client Certificates the user cannot download the index.vnc HTML
	and VncViewer.jar from the same x11vnc.  Those need to come from
	a different x11vnc or from a web server.

	Note that the HTTPS website can also put the VNC Password
	(e.g. a temporary/one-time one) in the parameter PASSWORD.
	The Java Applet will automatically supply this VNC password
	instead of prompting.

  serverCert
	string, default: none
	set a special hex "cert" to correspond to an SSL X.509 cert
	See the 'onetimekey -certonly' helper script.

	This provides a Server-Side cert that the client will authenticate
	the VNC Server against by SSL.

	This is to try to work around the problem that the Java applet
	cannot keep an SSL keystore on disk, etc.  E.g. if they log
	into an HTTPS website via password they are authenticated and
	encrypted, then the website can safely put serverCert=... on the
	URL.

	Of course the VNC Server is sending this string to the Java
	Applet, so this is only reasonable security if the VNC Viewer
	already trusts the HTTPS retrieval of the URL + serverCert param
	that it gets.  This should be done over HTTPS not HTTP.

  proxyHost
	string, default: none
	Do not try to guess the proxy's hostname, use the value in
	proxyHost.  Does not imply forceProxy (below.)

  proxyPort
	string, default: none
	Do not try to guess the proxy's port number, use the value in
	proxyPort.  Does not imply forceProxy (below.)

  forceProxy
	yes/no, default: no
	Assume there is a proxy and force its use.

	If a string other than "yes" or "no" is given, it implies "yes"
	and uses the string for proxyHost and proxyPort (see above).
	In this case the string must be of the form "hostname+port".
	Note that it is "+" and not ":" before the port number.

  ignoreProxy
	yes/no, default: no
	Don't check for a proxy, assume there is none.

  trustAllVncCerts
	yes/no, default: no
	Automatically trust any cert received from the VNC server
	(obviously this could be dangerous and lead to man in the
	middle attack).  Do not ask the user to verify any of these
	certs from the VNC server.

  trustUrlVncCert
	yes/no, default: no
	Automatically trust any cert that the web browsers has accepted.
	E.g. the user said "Yes" or "Continue" to a web browser dialog
	regarding a certificate.  If we get the same cert (chain) from
	the VNC server we trust it without prompting the user.

  debugCerts
	yes/no, default: no
	Print out every cert in the Server, TrustUrl, TrustAll chains.


TightVNC Java viewer only:

  Offer Relogin
	yes/no, default: yes
	"Offer Relogin" set to "No" disables "Login again" 

  SocketFactory
	string, default: none
	set Java Socket class factory.

UltraVNC Java viewer only:

  None.

  The following are added by x11vnc and/or ssvnc project
  
  ftpDropDown
	string, default: none
	Sets the file transfer "drives" dropdown to the "." separated
	list.  Use "+" for space. The default is

		My+Documents.Desktop.Home

	for 3 entries in the dropdown in addition to the "drives"
	(e.g. C:\)  These items should be expanded properly by the VNC
	Server.  x11vnc will prepend $HOME to them, which is normally
	what one wants.  To include a "/" use "_2F_".  Another example:

		Home.Desktop.bin_2F_linux

	If an item is prefixed with "TOP_" then the item is inserted at
	the top of the drop down rather than being appended to the end.
	E.g. to try to initially load the user homedir instead of /:

		TOP_Home.My+Documents.Desktop

	If ftpDropDown is set to the empty string, "", then no special
	locations, [Desktop] etc., are placed in the drop down.  Only the
	ultravnc "drives" will appear.

  ftpOnly
	yes/no, default: no
	The VNC viewer only shows the filetransfer panel, no desktop
	is displayed.

  graftFtp
	yes/no, default: no
	As ftpOnly, the VNC viewer only shows the filetransfer panel,
	no desktop is displayed, however it is "grafted" onto an existing
	SSVNC unix vncviewer.  The special SSVNC vncviewer merges the two
	channels.

  dsmActive
	yes/no, default: no
	Special usage mode with the SSVNC unix vncviewer.  The UltraVNC
	DSM encryption is active.  Foolishly, UltraVNC DSM encryption
	*MODIFIES* the VNC protocol when active (it is not a pure tunnel).
	This option indicates to modify the VNC protocol to make this work. 
	Usually only used with graftFtp and SSVNC unix vncviewer.

  delayAuthPanel
	yes/no, default: no
	This is another special usage mode with the SSVNC unix vncviewer.
	A login panel is delayed (not shown at startup.)  Could be useful
	for non SSVNC usage too.

  ignoreMSLogonCheck
	yes/no, default: no
	Similar to delayAuthPanel, do not put up a popup asking for
	Windows username, etc.