Secure VNC with SSL problem - Networking

This is a discussion on Secure VNC with SSL problem - Networking ; I am trying secure access to my vncserver using SSL. Looks like the following one is the only and the de-facto tutorial on the web: http://www-128.ibm.com/developerwork...r-lnxw16SSLVNC When I follow the steps and try to connect to the java-applet I receive ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Secure VNC with SSL problem

  1. Secure VNC with SSL problem

    I am trying secure access to my vncserver using SSL. Looks like the
    following one is the only and the de-facto tutorial on the web:

    http://www-128.ibm.com/developerwork...r-lnxw16SSLVNC

    When I follow the steps and try to connect to the java-applet I
    receive "Status: Connected to server" but it does not show my desktop,
    all I get is a blank screen.

    I opened the java-terminal and I see the following error:

    "security: JSS package is not found
    security: JSS is not configured
    ....
    HttpURLConnection: Connection reset"

    When I check the VNC errors I see the following:

    "28/03/08 16:12:55 Got connection from client 0.0.0.0
    28/03/08 16:12:55 Protocol version 3.3
    28/03/08 16:13:25 rfbAuthProcessClientMessage: read: Connection reset
    by peer
    28/03/08 16:13:25 Client 0.0.0.0 gone
    28/03/08 16:13:25 Statistics:
    28/03/08 16:13:25 framebuffer updates 0, rectangles 0, bytes 0
    28/03/08 16:13:55 httpd: get 'check.https.proxy.connection' for
    0.0.0.0
    28/03/08 16:13:55 httpProcessInput: open: No such file or directory
    28/03/08 16:13:56 httpProcessInput: read: Connection reset by peer
    28/03/08 16:13:56 httpProcessInput: read: Connection reset by peer"

    SYSLOG gives:

    r 28 16:13:56 cellular12 stunnel[19516]: SSL_accept: error:
    1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
    Mar 28 16:13:57 cellular12 stunnel[19516]: 5801 connected from
    74.62.18.62:30370
    Mar 28 16:14:05 cellular12 stunnel[19516]: Connection closed: 106
    bytes sent to SSL, 599 bytes sent to socket

    It is as if trying to reach to an HTTPS site using HTTP. Do you have
    any idea what I might be doing wrong?


    -------------------------------------------------------------------------------------------------------
    Detailed steps and logs are as follows:
    - Started server: vncserver :5
    - Created certificate: stunnel.pem
    - Started stunnel: sudo stunnel -d 5835 -r 5801

    SYSLOG
    =============================
    Mar 28 14:32:47 cellular12 stunnel[18994]: Using '5801' as tcpwrapper
    service name
    Mar 28 14:32:47 cellular12 stunnel[18994]: stunnel 3.26 on i486-pc-
    linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8e 23 Feb 2007
    Mar 28 14:32:47 cellular12 stunnel[18995]: FD_SETSIZE=1024, file
    ulimit=1024 -> 500 clients allowed
    Mar 28 15:03:08 cellular12 stunnel[19401]: Using '5801' as tcpwrapper
    service name
    Mar 28 15:03:08 cellular12 stunnel[19401]: stunnel 3.26 on i486-pc-
    linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8e 23 Feb 2007
    Mar 28 15:03:08 cellular12 stunnel[19402]: FD_SETSIZE=1024, file
    ulimit=1024 -> 500 clients allowed
    Mar 28 15:03:46 cellular12 stunnel[19402]: 5801 connected from
    74.62.18.62:34050
    Mar 28 15:03:46 cellular12 stunnel[19402]: 5801 connected from
    74.62.18.62:34053
    Mar 28 15:03:46 cellular12 stunnel[19402]: SSL_accept: error:
    1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
    Mar 28 15:03:47 cellular12 stunnel[19402]: 5801 connected from
    74.62.18.62:34059
    Mar 28 15:03:47 cellular12 stunnel[19402]: SSL_accept: error:
    1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
    Mar 28 15:03:47 cellular12 stunnel[19402]: 5801 connected from
    74.62.18.62:34066
    Mar 28 15:03:56 cellular12 stunnel[19402]: Connection closed: 106
    bytes sent to SSL, 599 bytes sent to socket
    Mar 28 15:04:47 cellular12 stunnel[19402]: Connection closed: 0 bytes
    sent to SSL, 0 bytes sent to socket
    Mar 28 15:05:04 cellular12 stunnel[19402]: 5801 connected from
    74.62.18.62:35415
    Mar 28 15:05:04 cellular12 stunnel[19402]: remote connect: Connection
    refused (111)
    Mar 28 15:05:04 cellular12 stunnel[19402]: Failed to initialize remote
    file descriptor
    M

    Downloaded x11vnc-0.9.3.tar.gz. Unpacked and copied the files
    "SignedVncViewer.jar" and "VncViewer.jar" under class/ssl to a
    directory (secure_vnc) accessible by the webserver. Created an
    index.html file with the following content:



    height="600">








    And I accessed it via
    http://MY HOST NAME/secure_vnc
    or
    https://MY HOST NAME/secure_vnc

    and I always get the above error.

  2. Re: Secure VNC with SSL problem

    I am confused why you would use stunnel arg '-r 5801'
    when you started the server with 'vncserver :5'

    So I think that stunnel arg should be '-r 5905', i.e. port
    5905 is the port your VNC server is listening on.

    The 5900+N port is the VNC server and the 5800+N port is
    the mini http server port for delivering the applet html
    and jar file. Since you serve both of those up by your
    own webserver, there is no need to have stunnel redirect
    to a 5800+N port.

    I don't think your choice of 5835 causes, a problem but I
    changed it to 5935 and it all worked fine like this:

    vncserver :5

    stunnel3 -f -d 5935 -r 5905 -p ~/.vnc/certs/server.pem

    point firefox to http://hostname/vnc.html

    where vnc.html is like your file but with the changes I
    mentioned (i.e. PORT 5935)

    BTW, The failure with httpd: get 'check.https.proxy.connection'
    should be OK: it it just the applet doing a test connection
    to look for a the presence of a webproxy.


    For some people it might be easier to use SSVNC and x11vnc
    in SSL mode:

    http://www.karlrunge.com/x11vnc/ssvnc.html

    http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-int

    where one might start x11vnc like this:

    x11vnc -ssl SAVE (connect to console
    display :0 )

    x11vnc -ssl SAVE -create (create a virtual X session
    with Xvfb)

    x11vnc -ssl SAVE -redirect localhost:5 (redirect to Xvnc on
    display :5 )

    SSVNC can then connect to these using SSL.

    If instead you want to use a web browser with Java
    viewer, supply '-http' option to x11vnc and it will
    serve up the SSL VncViewer.jar (or use '-httpdir dir'
    to explicitly point to the classes/ssl subdir contents).
    Then point your web broswer to http://hostname:5800 or
    https://hostname:5900 (note the different ports).


  3. Re: Secure VNC with SSL problem

    Thank you very much. As for "vncserver :5", it was a typo. I started
    it as "vncserver :1". I will try it and will let you know how it
    goes..

    On Mar 29, 2:14 pm, goog...@karlrunge.com wrote:
    > I am confused why you would use stunnel arg '-r 5801'
    > when you started the server with 'vncserver :5'
    >
    > So I think that stunnel arg should be '-r 5905', i.e. port
    > 5905 is the port your VNC server is listening on.
    >
    > The 5900+N port is the VNC server and the 5800+N port is
    > the mini http server port for delivering the applet html
    > and jar file. Since you serve both of those up by your
    > own webserver, there is no need to have stunnel redirect
    > to a 5800+N port.
    >
    > I don't think your choice of 5835 causes, a problem but I
    > changed it to 5935 and it all worked fine like this:
    >
    > vncserver :5
    >
    > stunnel3 -f -d 5935 -r 5905 -p ~/.vnc/certs/server.pem
    >
    > point firefox tohttp://hostname/vnc.html
    >
    > where vnc.html is like your file but with the changes I
    > mentioned (i.e. PORT 5935)
    >
    > BTW, The failure with httpd: get 'check.https.proxy.connection'
    > should be OK: it it just the applet doing a test connection
    > to look for a the presence of a webproxy.
    >
    > For some people it might be easier to use SSVNC and x11vnc
    > in SSL mode:
    >
    > http://www.karlrunge.com/x11vnc/ssvnc.html
    >
    > http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-int
    >
    > where one might start x11vnc like this:
    >
    > x11vnc -ssl SAVE (connect to console
    > display :0 )
    >
    > x11vnc -ssl SAVE -create (create a virtual X session
    > with Xvfb)
    >
    > x11vnc -ssl SAVE -redirect localhost:5 (redirect to Xvnc on
    > display :5 )
    >
    > SSVNC can then connect to these using SSL.
    >
    > If instead you want to use a web browser with Java
    > viewer, supply '-http' option to x11vnc and it will
    > serve up the SSL VncViewer.jar (or use '-httpdir dir'
    > to explicitly point to the classes/ssl subdir contents).
    > Then point your web broswer tohttp://hostname:5800orhttps://hostname:5900(note the different ports).



  4. Re: Secure VNC with SSL problem

    I tried option 1 and it worked. I was pointing to the http port
    instead of the VNC server as you suggested.

    To summarize my configuration after creating the certificates and html
    files as described above:

    SERVER:
    vncserver :1
    sudo stunnel -d 5835 -r 5901

    CLIENT:
    http://myhost:5835 or
    https://myhost:5835

    Thank you.


    On Mar 29, 2:14 pm, goog...@karlrunge.com wrote:
    > I am confused why you would use stunnel arg '-r 5801'
    > when you started the server with 'vncserver :5'
    >
    > So I think that stunnel arg should be '-r 5905', i.e. port
    > 5905 is the port your VNC server is listening on.
    >
    > The 5900+N port is the VNC server and the 5800+N port is
    > the mini http server port for delivering the applet html
    > and jar file. Since you serve both of those up by your
    > own webserver, there is no need to have stunnel redirect
    > to a 5800+N port.
    >
    > I don't think your choice of 5835 causes, a problem but I
    > changed it to 5935 and it all worked fine like this:
    >
    > vncserver :5
    >
    > stunnel3 -f -d 5935 -r 5905 -p ~/.vnc/certs/server.pem
    >
    > point firefox tohttp://hostname/vnc.html
    >
    > where vnc.html is like your file but with the changes I
    > mentioned (i.e. PORT 5935)
    >
    > BTW, The failure with httpd: get 'check.https.proxy.connection'
    > should be OK: it it just the applet doing a test connection
    > to look for a the presence of a webproxy.
    >
    > For some people it might be easier to use SSVNC and x11vnc
    > in SSL mode:
    >
    > http://www.karlrunge.com/x11vnc/ssvnc.html
    >
    > http://www.karlrunge.com/x11vnc/#faq-ssl-tunnel-int
    >
    > where one might start x11vnc like this:
    >
    > x11vnc -ssl SAVE (connect to console
    > display :0 )
    >
    > x11vnc -ssl SAVE -create (create a virtual X session
    > with Xvfb)
    >
    > x11vnc -ssl SAVE -redirect localhost:5 (redirect to Xvnc on
    > display :5 )
    >
    > SSVNC can then connect to these using SSL.
    >
    > If instead you want to use a web browser with Java
    > viewer, supply '-http' option to x11vnc and it will
    > serve up the SSL VncViewer.jar (or use '-httpdir dir'
    > to explicitly point to the classes/ssl subdir contents).
    > Then point your web broswer tohttp://hostname:5800orhttps://hostname:5900(note the different ports).



+ Reply to Thread