guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Idhren <romain.chatil...@labri.fr>
Subject Re: Connect to VNC server with SSL
Date Fri, 26 Apr 2019 09:07:48 GMT
That the thing, I don't know how to force/configure the VNC client on
guacamole side.
I tried many security type on VNC server (wich is installed on a ubuntu
workstation) but it always failed.

On the guacamole server:
Starting Nmap 6.40 ( http://nmap.org ) at 2019-04-26 10:39 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000066s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong


On the Ubuntu workstation:

openssl ciphers -s | grep DHE
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

For exemple, I tried to start my vncserver without DH:

user@ubuntu$ x11vnc -ssl -vencrypt nodh:only -passwd *****

26/04/2019 10:56:19 SSL: accept_openssl(OPENSSL_VNC)
26/04/2019 10:56:19 SSL: spawning helper process to handle:
***.***.*.***:58450
26/04/2019 10:56:19 SSL: helper for peerport 58450 is pid 20949: 
26/04/2019 10:56:19 connect_tcp: trying:   127.0.0.1 20000
26/04/2019 10:56:20 check_vnc_tls_mode: waited: 1.419587 / 1.40 input:
(future) RFB Handshake
26/04/2019 10:56:20 check_vnc_tls_mode: version: 3.8
26/04/2019 10:56:20 SSL: ssl_helper[20949]: exit case 2 (ssl_init failed)
26/04/2019 10:56:20 SSL: accept_openssl: cookie from ssl_helper[20949]
FAILED. 0

On guacamole side:

Apr 26 10:58:32 guacamole guacd[27115]: VNC server supports protocol version
3.8 (viewer 3.8)
Apr 26 10:58:32 guacamole guacd[27115]: We have 1 security types to read
Apr 26 10:58:32 guacamole guacd: guacd[27115]: ERROR:#011Unable to connect
to VNC server.
Apr 26 10:58:32 guacamole guacd[27115]: 0) Received security type 19
Apr 26 10:58:32 guacamole guacd[27115]: Unknown authentication scheme from
VNC server: 19
Apr 26 10:58:32 guacamole guacd[27115]: Unable to connect to VNC server.
Apr 26 10:58:32 guacamole guacd[27115]: User
"@d820419b-18c0-4c77-8ead-50eeb919a0b1" disconnected (0 users remain)

And I tried another vncviewer (ssvnc). It retriver and save the cert and
seem to use ECDHE-RSA-AES256-GCM-SHA384 cipher.


Thanks for you help!




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message