Geek Answers Handbook

NoVNC for x11vnc SSL connection

I am trying to use SSL connection with x11vnc (VNC server) and noVNC (VNC client). Whenever I try to connect, I get the error "Unsupported security types: 19.18" from noVNC and "SSL: ssl_helper [2957]: exit case 2 (ssl_init failed) SSL: accept_openssl: cookie from ssl_helper [2957] FAILED. 0 "of x11vnc. If I disable SSL for x11vnc, the client will be able to connect without problems.

I understand that x11vnc really comes bundled with Java based applets. However, I'm more interested in HTML5 based noVNC.

Both x11vnc and noVNC work on the same computer using the commands:

x11vnc: x11vnc -forever -shared -unixpw_cmd [cmd] -ssl [pem]

noVNC: ./ utils / websockify --ssl-only --cert = [pem] --web =. / 6080 localhost: 5900

Note. Both point to the same letter. I use websockify instead of noVNC launch.sh to have more options like -ssl-only.

The encryption function for noVNC does not seem to affect the connection to the server (the results are the same whether it is enabled or not).

My biggest concern is a secure connection. At the moment, it does not look like turning on the noVNC encrypt option does much if x11vnc SSL should be disabled (the encryption option does noVNC use wss: // instead of ws: //). If this creates a secure connection, let me know. Else, how can I get noVNC and x11vnc working with SSL?

+4
source share
1 answer

First few explanations :

noVNC and websockify are actually separate projects:

  • websockify is a common proxy bridge that allows WebSocket connections (for example, from a browser) to connect to non-core TCP socket services (for example, to a VNC server).
  • noVNC - VNC HTML5 client.

If the VNC server supports WebSocket connections, then websockify is not needed. The only VNC server that currently supports direct connections to WebSocket is this version of libvncserver . websockify is included in noVNC since most VNC servers do not yet support WebSocket clients, but websockify is a separate project .

You are dealing with two different network connections, each of which has its own encryption settings:

  • noVNC (browser) for websockify - using the WebSocket protocol
  • websockify on x11vnc (VNC server) - direct connection to a TCP socket

The WebSocket protocol supports unencrypted connections (ws: //) and encrypted SSL / TLS connections (wss: //).

In the RFB protocol (Remote Frame Buffer) used in VNC, it is possible to update during initialization to use an encrypted connection. There are several encryption methods, such as TLS (security type 18), VeNCrypt (security type 19).

Now to your question :

When you pass -ssl PEM to x11vnc this is RFB / VNC encryption enabled. noVNC does not support RFB / VNC encryption. Javascript is not fast enough to make encryption / decryption fast enough for noVNC to be used. There is a discussion about adding a cryptographic API to Javascript that will allow noVNC to support this type of encryption.

When you enable encryption in noVNC, you enable WebSocket encryption (wss: //). This encrypts the connection between the browser and websockify. As long as the connection between websockify and the VNC server is over a trusted network (for example, it runs on the same server) and uses WebSocket encryption in noVNC, then no unencrypted data will be disclosed. However, if you run websockify on the same system as your browser, and the VNC server is deleted, then the VNC traffic from your client to the server system will not be encrypted (if noVNC does not receive support for RFB / VNC VeNCrypt encryption in the future).

Exiting websockify will indicate if the WebSocket connection is encrypted or unencrypted.

+13
source

More articles:


All Articles