339 lines
11 KiB
Plaintext
339 lines
11 KiB
Plaintext
This directory contains a patched Java applet VNC viewer that is SSL
|
|
enabled.
|
|
|
|
The patches in the *.patch files are relative to the source tarball:
|
|
|
|
tightvnc-1.3dev7_javasrc.tar.gz
|
|
|
|
currently (4/06) available here:
|
|
|
|
http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
|
|
|
|
It also includes some simple patches to:
|
|
|
|
- fix richcursor colors
|
|
|
|
- make the Java Applet cursor (not the cursor drawn to the canvas
|
|
framebuffer) invisible when it is inside the canvas.
|
|
|
|
- allow Tab (and some other) keystrokes to be sent to the vnc
|
|
server instead of doing widget traversal.
|
|
|
|
|
|
This SSL applet should work with any VNC viewer that has an SSL tunnel in
|
|
front of it. It has been tested on x11vnc and using the stunnel tunnel
|
|
to other VNC servers.
|
|
|
|
By default this Vnc Viewer will only do SSL. To do unencrypted traffic
|
|
see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
|
|
|
|
Proxies: they are a general problem with java socket applets (a socket
|
|
connection does not go through the proxy). See the info in the proxy.vnc
|
|
file for a workaround. It uses SignedVncViewer.jar which is simply
|
|
a signed version of VncViewer.jar. The basic idea is the user clicks
|
|
"Yes" to trust the applet and then it can connect directly to the proxy
|
|
and issue a CONNECT request.
|
|
|
|
This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
|
|
Java plugin. It may not work on older releases or different vendor VM's.
|
|
Send full Java Console output for failures.
|
|
|
|
---------------------------------------------------------------
|
|
Tips:
|
|
|
|
When doing single-port proxy connections (e.g. both VNC and HTTPS
|
|
thru port 5900) it helps to move through the 'do you trust this site'
|
|
dialogs quickly. x11vnc has to wait to see if the traffic is VNC or
|
|
HTTP and this can cause timeouts if you don't move thru them quickly.
|
|
|
|
You may have to restart your browser completely if it gets into a
|
|
weird state. For one case we saw the JVM requesting VncViewer.class
|
|
even when no such file exists.
|
|
|
|
|
|
---------------------------------------------------------------
|
|
Extras:
|
|
|
|
ss_vncviewer (not Java):
|
|
|
|
Wrapper script for native VNC viewer to connect to x11vnc in
|
|
SSL mode. Script launches stunnel(8) and then connects to it
|
|
via localhost which in turn is then redirected to x11vnc via an
|
|
SSL tunnel. stunnel(8) must be installed and available in PATH.
|
|
|
|
|
|
Running Java SSL VncViewer from the command line:
|
|
|
|
From this directory:
|
|
|
|
java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
|
|
|
|
substitute <thehost> and <theport> with the actual values.
|
|
You can add any other parameters, e.g.: ignoreProxy yes
|
|
|
|
---------------------------------------------------------------
|
|
UltraVNC:
|
|
|
|
The UltraVNC java viewer has also been patched to support SSL. Various
|
|
bugs in the UltraVNC java viewer were also fixed. This viewer can be
|
|
useful because is support UltraVNC filetransfer, and so it works on
|
|
Unix, etc.
|
|
|
|
UltraViewerSSL.jar
|
|
SignedUltraViewerSSL.jar
|
|
ultra.vnc
|
|
ultraproxy.vnc
|
|
ultravnc-102-JavaViewer-ssl-etc.patch
|
|
|
|
---------------------------------------------------------------
|
|
Applet Parameters:
|
|
|
|
Some additional applet parameters can be set via the URL, e.g.
|
|
|
|
http://host:5800/?param=value
|
|
http://host:5800/ultra.vnc?param=value
|
|
https://host:5900/ultra.vnc?param=value
|
|
|
|
etc. If running java from command line as show above, it comes
|
|
in as java ... VncViewer param value ...
|
|
|
|
There is a limitation with libvncserver that param and value can
|
|
only be alphanumeric, underscore, "+" (for space), or "."
|
|
|
|
We have added some applet parameters to the stock VNC java
|
|
viewers. Here are the applet parameters:
|
|
|
|
Both TightVNC and UltraVNC Java viewers:
|
|
|
|
HOST
|
|
string, default: none.
|
|
The Hostname to connect to.
|
|
|
|
PORT
|
|
number, default: 0
|
|
The VNC server port to connect to.
|
|
|
|
Open New Window
|
|
yes/no, default: no
|
|
Run applet in separate frame.
|
|
|
|
Show Controls
|
|
yes/no, default: yes
|
|
Show Controls button panel.
|
|
|
|
Show Offline Desktop
|
|
yes/no, default: no
|
|
Do we continue showing desktop on remote disconnect?
|
|
|
|
Defer screen updates
|
|
number, default: 20
|
|
Milliseconds delay
|
|
|
|
Defer cursor updates
|
|
number, default: 10
|
|
Milliseconds delay
|
|
|
|
Defer update requests
|
|
number, default: 50
|
|
Milliseconds delay
|
|
|
|
PASSWORD
|
|
string, default: none
|
|
VNC session password in plain text.
|
|
|
|
ENCPASSWORD
|
|
string, default: none
|
|
VNC session password in encrypted in DES with KNOWN FIXED
|
|
key. It is a hex string. This is like the ~/.vnc/passwd format.
|
|
|
|
|
|
The following are added by x11vnc and/or ssvnc project
|
|
|
|
VNCSERVERPORT
|
|
number, default: 0
|
|
Like PORT, but if there is a firewall this is the Actual VNC
|
|
server port. PORT might be a redir port on the firewall.
|
|
|
|
DisableSSL
|
|
yes/no, default: no
|
|
Do unencrypted connection, no SSL.
|
|
|
|
httpsPort
|
|
number, default: none
|
|
When checking for proxy, use this at the url port number.
|
|
|
|
CONNECT
|
|
string, default: none
|
|
Sets to host:port for the CONNECT line to a Web proxy.
|
|
The Web proxy should connect us to it.
|
|
|
|
GET
|
|
yes/no, default: no
|
|
Set to do a special HTTP GET (/request.https.vnc.connection)
|
|
to the vnc server that will cause it to switch to VNC instead.
|
|
This is to speedup/make more robust, the single port HTTPS and VNC
|
|
mode of x11vnc (e.g. both services thru port 5900, etc)
|
|
|
|
urlPrefix
|
|
string, default: none
|
|
set to a string that will be prefixed to all URL's when contacting
|
|
the VNC server. Idea is a special proxy will use this to indicate
|
|
internal hostname, etc.
|
|
|
|
oneTimeKey
|
|
string, default: none
|
|
set a special hex "key" to correspond to an SSL X.509 cert+key.
|
|
See the 'onetimekey' helper script. Can also be PROMPT to prompt
|
|
the user to paste the hex key string in.
|
|
|
|
This provides a Client-Side cert+key that the client will use to
|
|
authenticate itself by SSL To the VNC Server.
|
|
|
|
This is to try to work around the problem that the Java applet
|
|
cannot keep an SSL keystore on disk, etc. E.g. if they log
|
|
into an HTTPS website via password they are authenticated and
|
|
encrypted, then the website can safely put oneTimeKey=... on the
|
|
URL. The Vncviewer authenticates the VNC server with this key.
|
|
|
|
Note that there is currently a problem in that if x11vnc requires
|
|
Client Certificates the user cannot download the index.vnc HTML
|
|
and VncViewer.jar from the same x11vnc. Those need to come from
|
|
a different x11vnc or from a web server.
|
|
|
|
Note that the HTTPS website can also put the VNC Password
|
|
(e.g. a temporary/one-time one) in the parameter PASSWORD.
|
|
The Java Applet will automatically supply this VNC password
|
|
instead of prompting.
|
|
|
|
serverCert
|
|
string, default: none
|
|
set a special hex "cert" to correspond to an SSL X.509 cert
|
|
See the 'onetimekey -certonly' helper script.
|
|
|
|
This provides a Server-Side cert that the client will authenticate
|
|
the VNC Server against by SSL.
|
|
|
|
This is to try to work around the problem that the Java applet
|
|
cannot keep an SSL keystore on disk, etc. E.g. if they log
|
|
into an HTTPS website via password they are authenticated and
|
|
encrypted, then the website can safely put serverCert=... on the
|
|
URL.
|
|
|
|
Of course the VNC Server is sending this string to the Java
|
|
Applet, so this is only reasonable security if the VNC Viewer
|
|
already trusts the HTTPS retrieval of the URL + serverCert param
|
|
that it gets. This should be done over HTTPS not HTTP.
|
|
|
|
proxyHost
|
|
string, default: none
|
|
Do not try to guess the proxy's hostname, use the value in
|
|
proxyHost. Does not imply forceProxy (below.)
|
|
|
|
proxyPort
|
|
string, default: none
|
|
Do not try to guess the proxy's port number, use the value in
|
|
proxyPort. Does not imply forceProxy (below.)
|
|
|
|
forceProxy
|
|
yes/no, default: no
|
|
Assume there is a proxy and force its use.
|
|
|
|
If a string other than "yes" or "no" is given, it implies "yes"
|
|
and uses the string for proxyHost and proxyPort (see above).
|
|
In this case the string must be of the form "hostname+port".
|
|
Note that it is "+" and not ":" before the port number.
|
|
|
|
ignoreProxy
|
|
yes/no, default: no
|
|
Don't check for a proxy, assume there is none.
|
|
|
|
trustAllVncCerts
|
|
yes/no, default: no
|
|
Automatically trust any cert received from the VNC server
|
|
(obviously this could be dangerous and lead to man in the
|
|
middle attack). Do not ask the user to verify any of these
|
|
certs from the VNC server.
|
|
|
|
trustUrlVncCert
|
|
yes/no, default: no
|
|
Automatically trust any cert that the web browsers has accepted.
|
|
E.g. the user said "Yes" or "Continue" to a web browser dialog
|
|
regarding a certificate. If we get the same cert (chain) from
|
|
the VNC server we trust it without prompting the user.
|
|
|
|
debugCerts
|
|
yes/no, default: no
|
|
Print out every cert in the Server, TrustUrl, TrustAll chains.
|
|
|
|
|
|
TightVNC Java viewer only:
|
|
|
|
Offer Relogin
|
|
yes/no, default: yes
|
|
"Offer Relogin" set to "No" disables "Login again"
|
|
|
|
SocketFactory
|
|
string, default: none
|
|
set Java Socket class factory.
|
|
|
|
UltraVNC Java viewer only:
|
|
|
|
None.
|
|
|
|
The following are added by x11vnc and/or ssvnc project
|
|
|
|
ftpDropDown
|
|
string, default: none
|
|
Sets the file transfer "drives" dropdown to the "." separated
|
|
list. Use "+" for space. The default is
|
|
|
|
My+Documents.Desktop.Home
|
|
|
|
for 3 entries in the dropdown in addition to the "drives"
|
|
(e.g. C:\) These items should be expanded properly by the VNC
|
|
Server. x11vnc will prepend $HOME to them, which is normally
|
|
what one wants. To include a "/" use "_2F_". Another example:
|
|
|
|
Home.Desktop.bin_2F_linux
|
|
|
|
If an item is prefixed with "TOP_" then the item is inserted at
|
|
the top of the drop down rather than being appended to the end.
|
|
E.g. to try to initially load the user homedir instead of /:
|
|
|
|
TOP_Home.My+Documents.Desktop
|
|
|
|
If ftpDropDown is set to the empty string, "", then no special
|
|
locations, [Desktop] etc., are placed in the drop down. Only the
|
|
ultravnc "drives" will appear.
|
|
|
|
ftpOnly
|
|
yes/no, default: no
|
|
The VNC viewer only shows the filetransfer panel, no desktop
|
|
is displayed.
|
|
|
|
graftFtp
|
|
yes/no, default: no
|
|
As ftpOnly, the VNC viewer only shows the filetransfer panel,
|
|
no desktop is displayed, however it is "grafted" onto an existing
|
|
SSVNC unix vncviewer. The special SSVNC vncviewer merges the two
|
|
channels.
|
|
|
|
dsmActive
|
|
yes/no, default: no
|
|
Special usage mode with the SSVNC unix vncviewer. The UltraVNC
|
|
DSM encryption is active. Foolishly, UltraVNC DSM encryption
|
|
*MODIFIES* the VNC protocol when active (it is not a pure tunnel).
|
|
This option indicates to modify the VNC protocol to make this work.
|
|
Usually only used with graftFtp and SSVNC unix vncviewer.
|
|
|
|
delayAuthPanel
|
|
yes/no, default: no
|
|
This is another special usage mode with the SSVNC unix vncviewer.
|
|
A login panel is delayed (not shown at startup.) Could be useful
|
|
for non SSVNC usage too.
|
|
|
|
ignoreMSLogonCheck
|
|
yes/no, default: no
|
|
Similar to delayAuthPanel, do not put up a popup asking for
|
|
Windows username, etc.
|