You are not logged in.
- Topics: Active | Unanswered
#1 2018-01-20 15:52:32
- ottagono
- Member
- Registered: 2017-12-16
- Posts: 6
TigerVNC cannot encrypt data via X509Vnc
Hi guys,
I followed this page in order to setup and install TigerVNC on my computer.
I need to connect my existing X11 session, so you will use x0vncserver. I would like to encrypt the data using an X509 certificate. Here is my systemd service:
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forking
User=ottagono
ExecStart=/usr/bin/sh -c '/usr/bin/x0vncserver -X509Key /home/ottagono/Documents/Certificates/privkey.pem -X509Cert /home/ottagono/Documents/Certificates/fullchain.pem -SecurityTypes X509Vnc -display :0 -rfbport 5900 -passwordfile /home/ottagono/.vnc/passwd &'
[Install]
WantedBy=multi-user.targetI got the X509 certificates from Let's Encrypt (as reccomened in the Arch page). I used certbot and verified my domain with the DNS record.
The problem is I cannot connect to my server (both via IP or DNS name). I got this error (from the client): "Invalid status of server certificate verification" (here is the output of vncviewer command and here the server output)
I have already checked the permissions on the .pem files, however without using only the password file as authentication method everything works.
I don't think the client needs some certificate; maybe the certificates issued by Let's Encrypt aren't suitable for VNC? I don't know, any advice is appreciated. Thank you.
Last edited by ottagono (2018-01-20 16:02:26)
Offline
#2 2018-01-20 16:55:25
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,597
- Website
Re: TigerVNC cannot encrypt data via X509Vnc
Seems like too much work... more simple method is ssh tunneling which is much better encryption.
% ssh server.domain.com -L 5900:localhost:5900
% x0vncserver -display :0 -passwordfile ~/.vnc/passwdNow you're initiated a tunnel and are running the server.
Open a 2nd shell and run vncviewer:
vncviewer -passwd ~/.vnc/passwd localhostCPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2018-01-20 17:48:31
- ottagono
- Member
- Registered: 2017-12-16
- Posts: 6
Re: TigerVNC cannot encrypt data via X509Vnc
Thank you for replying.
Yeah, I know that alternative method. Anyway, if someone can help me, I would prefer to use the X509 certificates. Because I need to connect to my server from my android phone and for didactic purpose. (It has to work!)
Offline
#4 2018-01-20 21:34:55
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: TigerVNC cannot encrypt data via X509Vnc
Messing with certificates for didactic purposes is like asking to be poked with a needle. That said I would guess that you don't actually need a certificate issued by Let's Encrypt.
The wiki says:
Issuing x509 certificates is beyond the scope of this guide. However, this is expected to be straightforward after the public launch of Let's Encrypt. Alternatively, one can issue certificates using OpenSSL and manually share the keys between server and client using email for instance.
Go with the openssl tutorial so that you control all the elements of the chain, from the CA to issuing and signing the certificates, once you have figured it out you can go ahead and use certificates issued by Let's Encrypt and find out if those actually work.
My personal choice would be to setup a vpn and access the vnc server through the vpn, that way you avoid exposing the vnc server directly to the big bad internet.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#5 2018-01-21 16:35:31
- ottagono
- Member
- Registered: 2017-12-16
- Posts: 6
Re: TigerVNC cannot encrypt data via X509Vnc
Thank you for replying.
I found the problem: the client needs the certificate. The correct command is:
vncviewer 192.168.1.10 -X509CA /home/ottagono/Documents/Certificates/fullchain.pemI thought the server would sent the certificate to the client, I was wrong. (Doesn't happen that with HTTPS protocol?)
Anyway it seems if the private key is encrypted with a passphrase VNC server cannot open it. (There aren't parameter to specify it) I tried with both OpenSSL self-signed certificate and Let's Encrypt.
However I will surely consider your advice to setup a VPN.
Thank you.
Offline
#6 2018-01-21 17:11:44
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,597
- Website
Re: TigerVNC cannot encrypt data via X509Vnc
@OP - If the solution is not clearly articulated on the wiki page, would you mind doing so?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#7 2018-01-21 17:22:07
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: TigerVNC cannot encrypt data via X509Vnc
From the man pages I would also expect the server to send the certificate to the client, and then the client would check with the CA certificate if the server certificate had been properly signed by the CA. Every program seems to have it's quirks and making sure things are actually secure may require jumping through some hoops and banging with head against the monitor a few times 
Regarding setting up a vpn, look here https://wiki.archlinux.org/index.php/OpenVPN
There are other options but openvpn is probably going to be the free solution with best all around compatibility/platform support. Since you mention android I've settle with "OpenVPN for Android" by Arne Schwabe as it seems to support more modern features that the "OpenVPN Connect" client does not support (or did not support last time I looked).
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#8 2018-01-21 17:27:36
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: TigerVNC cannot encrypt data via X509Vnc
It may be that vncviewer doesn't trust the Let's Encrypt CA, so you have to specify it with X509CA. Did you try to only use chain.pem instead of fullchain.pem or maybe even only the letsencrypt root (ISRG Root X1) with vncviewer? (the server always needs fullchain)
https://letsencrypt.org/certificates/
Last edited by progandy (2018-01-21 17:29:31)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#9 2018-01-23 20:40:03
- ottagono
- Member
- Registered: 2017-12-16
- Posts: 6
Re: TigerVNC cannot encrypt data via X509Vnc
@OP - If the solution is not clearly articulated on the wiki page, would you mind doing so?
I have never modified the wiki before. As soon as possible I will read up how to do that.
From the man pages I would also expect the server to send the certificate to the client, and then the client would check with the CA certificate if the server certificate had been properly signed by the CA. Every program seems to have it's quirks and making sure things are actually secure may require jumping through some hoops and banging with head against the monitor a few times
Regarding setting up a vpn, look here https://wiki.archlinux.org/index.php/OpenVPN
There are other options but openvpn is probably going to be the free solution with best all around compatibility/platform support. Since you mention android I've settle with "OpenVPN for Android" by Arne Schwabe as it seems to support more modern features that the "OpenVPN Connect" client does not support (or did not support last time I looked).
I setup an OpenVPN server and it works smoothly.
It may be that vncviewer doesn't trust the Let's Encrypt CA, so you have to specify it with X509CA. Did you try to only use chain.pem instead of fullchain.pem or maybe even only the letsencrypt root (ISRG Root X1) with vncviewer? (the server always needs fullchain)
https://letsencrypt.org/certificates/
I tried with both cert.pem and ISRG Root X1, neither works. Only with the fullchain.pem it seems work.
I setup a nginx server and my browser recognize it as valid HTTPS server, so the certificate itself it's ok.
Last edited by ottagono (2018-01-23 20:40:49)
Offline