You are not logged in.

#1 2018-01-20 15:52:32

ottagono
Member
Registered: 2017-12-16
Posts: 6

TigerVNC cannot encrypt data via X509Vnc

Hi guys,
I followed this page in order to setup and install TigerVNC on my computer.

I need to connect my existing X11 session, so you will use x0vncserver. I would like to encrypt the data using an X509 certificate. Here is my systemd service:

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
  
[Service]
Type=forking
User=ottagono
ExecStart=/usr/bin/sh -c '/usr/bin/x0vncserver -X509Key /home/ottagono/Documents/Certificates/privkey.pem -X509Cert /home/ottagono/Documents/Certificates/fullchain.pem -SecurityTypes X509Vnc -display :0 -rfbport 5900 -passwordfile /home/ottagono/.vnc/passwd &'
 
[Install]
WantedBy=multi-user.target

I got the X509 certificates from Let's Encrypt (as reccomened in the Arch page). I used certbot and verified my domain with the DNS record.

The problem is I cannot connect to my server (both via IP or DNS name). I got this error (from the client): "Invalid status of server certificate verification" (here is the output of vncviewer command and here the server output)

I have already checked the permissions on the .pem files, however without using only the password file as authentication method everything works.

I don't think the client needs some certificate; maybe the certificates issued by Let's Encrypt aren't suitable for VNC? I don't know, any advice is appreciated. Thank you.

Last edited by ottagono (2018-01-20 16:02:26)

Offline

#2 2018-01-20 16:55:25

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 9,461
Website

Re: TigerVNC cannot encrypt data via X509Vnc

Seems like too much work... more simple method is ssh tunneling which is much better encryption.

% ssh server.domain.com -L 5900:localhost:5900
% x0vncserver -display :0 -passwordfile ~/.vnc/passwd

Now you're initiated a tunnel and are running the server.

Open a 2nd shell and run vncviewer:

vncviewer -passwd ~/.vnc/passwd localhost

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs • 1.21 JIGOWATTS!

Offline

#3 2018-01-20 17:48:31

ottagono
Member
Registered: 2017-12-16
Posts: 6

Re: TigerVNC cannot encrypt data via X509Vnc

Thank you for replying.
Yeah, I know that alternative method. Anyway, if someone can help me, I would prefer to use the X509 certificates. Because I need to connect to my server from my android phone and for didactic purpose. (It has to work!)

Offline

#4 2018-01-20 21:34:55

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,682

Re: TigerVNC cannot encrypt data via X509Vnc

Messing with certificates for didactic purposes is like asking to be poked with a needle. That said I would guess that you don't actually need a certificate issued by Let's Encrypt.

The wiki says:

Issuing x509 certificates is beyond the scope of this guide. However, this is expected to be straightforward after the public launch of Let's Encrypt. Alternatively, one can issue certificates using OpenSSL and manually share the keys between server and client using email for instance.

Go with the openssl tutorial so that you control all the elements of the chain, from the CA to issuing and signing the certificates, once you have figured it out you can go ahead and use certificates issued by Let's Encrypt and find out if those actually work.

My personal choice would be to setup a vpn and access the vnc server through the vpn, that way you avoid exposing the vnc server directly to the big bad internet.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#5 2018-01-21 16:35:31

ottagono
Member
Registered: 2017-12-16
Posts: 6

Re: TigerVNC cannot encrypt data via X509Vnc

Thank you for replying.
I found the problem: the client needs the certificate. The correct command is:

vncviewer 192.168.1.10 -X509CA /home/ottagono/Documents/Certificates/fullchain.pem

I thought the server would sent the certificate to the client, I was wrong. (Doesn't happen that with HTTPS protocol?)
Anyway it seems if the private key is encrypted with a passphrase VNC server cannot open it. (There aren't parameter to specify it) I tried with both OpenSSL self-signed certificate and Let's Encrypt.

However I will surely consider your advice to setup a VPN.
Thank you.

Offline

#6 2018-01-21 17:11:44

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 9,461
Website

Re: TigerVNC cannot encrypt data via X509Vnc

@OP - If the solution is not clearly articulated on the wiki page, would you mind doing so?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs • 1.21 JIGOWATTS!

Offline

#7 2018-01-21 17:22:07

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,682

Re: TigerVNC cannot encrypt data via X509Vnc

From the man pages I would also expect the server to send the certificate to the client, and then the client would check with the CA certificate if the server certificate had been properly signed by the CA. Every program seems to have it's quirks and making sure things are actually secure may require jumping through some hoops and banging with head against the monitor a few times tongue

Regarding setting up a vpn, look here https://wiki.archlinux.org/index.php/OpenVPN

There are other options but openvpn is probably going to be the free solution with best all around compatibility/platform support. Since you mention android I've settle with "OpenVPN for Android" by Arne Schwabe as it seems to support more modern features that the "OpenVPN Connect" client does not support (or did not support last time I looked).


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#8 2018-01-21 17:27:36

progandy
Member
Registered: 2012-05-17
Posts: 2,874

Re: TigerVNC cannot encrypt data via X509Vnc

It may be that vncviewer doesn't trust the Let's Encrypt CA, so you have to specify it with X509CA. Did you try to only use chain.pem instead of fullchain.pem or maybe even only the letsencrypt root (ISRG Root X1) with vncviewer? (the server always needs fullchain)
https://letsencrypt.org/certificates/

Last edited by progandy (2018-01-21 17:29:31)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#9 2018-01-23 20:40:03

ottagono
Member
Registered: 2017-12-16
Posts: 6

Re: TigerVNC cannot encrypt data via X509Vnc

graysky wrote:

@OP - If the solution is not clearly articulated on the wiki page, would you mind doing so?

I have never modified the wiki before. As soon as possible I will read up how to do that.

R00KIE wrote:

From the man pages I would also expect the server to send the certificate to the client, and then the client would check with the CA certificate if the server certificate had been properly signed by the CA. Every program seems to have it's quirks and making sure things are actually secure     may require jumping through some hoops and banging with head against the monitor a few times tongue

Regarding setting up a vpn, look here https://wiki.archlinux.org/index.php/OpenVPN

There are other options but openvpn is probably going to be the free solution with best all around compatibility/platform support. Since you mention android I've settle with "OpenVPN for Android" by Arne Schwabe as it seems to support more modern features that the "OpenVPN Connect" client does not support (or did not support last time I looked).

I setup an OpenVPN server and it works smoothly.

progandy wrote:

It may be that vncviewer doesn't trust the Let's Encrypt CA, so you have to specify it with X509CA. Did you try to only use chain.pem instead of fullchain.pem or maybe even only the letsencrypt root (ISRG Root X1) with vncviewer? (the server always needs fullchain)
https://letsencrypt.org/certificates/

I tried with both cert.pem and ISRG Root X1, neither works. Only with the fullchain.pem it seems work.
I setup a nginx server and my browser recognize it as valid HTTPS server, so the certificate itself it's ok.

Last edited by ottagono (2018-01-23 20:40:49)

Offline

Board footer

Powered by FluxBB