You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Idhren <ro...@labri.fr> on 2019/04/24 13:05:34 UTC
Connect to VNC server with SSL
Dear,
I'm testing Guacamole (1.0) since a few day on a RHEL 7 server with VNC, SSH
& RDP connection.
It's been a few day since I'm struggling to encrypt my VNC connection. It
works fine without SSL, but I have this errors when I use SSL:
Catalina_out:
x11vnc logs:
This is with default options. I tried differents VNC server (tigervnc,
tightvnc) and different options (only ssl, Vencrypt, etc ..) and I was not
able to make it work.
I also tried to connect to the VNC server with "ssvnc" and it worked without
any trouble.
I guess the issue come from guacamole or the libvnc library.
I search on the JIRA if something looks familiar ... Found this topic:
https://issues.apache.org/jira/browse/GUACAMOLE-414
Not sure if this is related or no
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Connect to VNC server with SSL
Posted by Idhren <ro...@labri.fr>.
So, it could be an issue with the libvncclient or libguac-vnc ?
I set the loglevel to ALL for guacd & tomcat but didn't see anything
relevant.
I saw that x11vnc is using libvncclient v0.9.11 and guacamole was built with
0.9.9 ... Not sure if it is important or no.
Maybe I'll try to reinstall guacamole with another way, using docker, or on
a fedora for the latest lib.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Connect to VNC server with SSL
Posted by Mike Jumper <mj...@apache.org>.
On Sun, Apr 28, 2019, 05:13 Dmitry Katsubo <dm...@mail.ru> wrote:
> First of all needless to say that Java does not use openssl libraries: it
> had all cyphers implemented natively in Java. ... However I don't see the
> reason why Java8/9/10 should not be able to talk to your VNC server ...
>
No, the Java side of Guacamole does not communicate with the remote
desktop. It uses the Guacamole protocol to talk to guacd. Java support for
various ciphers will not have any impact on a remote desktop protocol being
able to use those ciphers.
Only the protocol support library, in this case libguac-client-vnc, talks
to the remote desktop. The various libguac-client-* are loaded by guacd
dynamically depending on the protocol needed by a connection. For
libguac-client-vnc, the connection to the VNC server leverages
libvncclient, and it is that library which would ultimately actually deal
with VNC over SSL, presumably using OpenSSL or a similar alternative.
- Mike
Re: Connect to VNC server with SSL
Posted by Dmitry Katsubo <dm...@mail.ru>.
On 2019-04-26 11:07, Idhren wrote:
> On the Ubuntu workstation:
>
> openssl ciphers -s | grep DHE
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
>
> Apr 26 10:58:32 guacamole guacd[27115]: 0) Received security type 19
> Apr 26 10:58:32 guacamole guacd[27115]: Unknown authentication scheme from VNC server: 19
> Apr 26 10:58:32 guacamole guacd[27115]: Unable to connect to VNC server.
> Apr 26 10:58:32 guacamole guacd[27115]: User "@d820419b-18c0-4c77-8ead-50eeb919a0b1" disconnected (0 users remain)
>
> And I tried another vncviewer (ssvnc). It retriver and save the cert and seem to use ECDHE-RSA-AES256-GCM-SHA384 cipher.
First of all needless to say that Java does not use openssl libraries: it had all cyphers implemented natively in Java. For example, if you are running Java7, you have to enable TLS 1.1/1.2 using
|-Dhttps.protocols=TLSv1.1,TLSv1.2| <https://superuser.com/a/928498/28311> JVM system property. For Java8 (and later version) this is not necessary (it should work out of the box) however I usually
double check the list of ciphers against Java documentation
<https://docs.oracle.com/javase/10/security/oracle-providers.htm#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2__CIPHERSUITESSUPPORTEDBYSUNJSSE-29E460FE>. For example the cipher ECDHE-RSA-AES256-GCM-SHA384
(which has name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 in Java) that you've mentioned in supported by Java8 and removed in Java9 :) However I don't see the reason why Java8/9/10 should not be able to
talk to your VNC server as for example cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 is supported by both Java and server.
General advise would be to enable TLS debugging in Java (-Djavax.net.debug=all <https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html>) and check the logs.
--
With best regards,
Dmitry
Re: Connect to VNC server with SSL
Posted by Idhren <ro...@labri.fr>.
That the thing, I don't know how to force/configure the VNC client on
guacamole side.
I tried many security type on VNC server (wich is installed on a ubuntu
workstation) but it always failed.
On the guacamole server:
Starting Nmap 6.40 ( http://nmap.org ) at 2019-04-26 10:39 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000066s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
On the Ubuntu workstation:
openssl ciphers -s | grep DHE
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
For exemple, I tried to start my vncserver without DH:
user@ubuntu$ x11vnc -ssl -vencrypt nodh:only -passwd *****
26/04/2019 10:56:19 SSL: accept_openssl(OPENSSL_VNC)
26/04/2019 10:56:19 SSL: spawning helper process to handle:
***.***.*.***:58450
26/04/2019 10:56:19 SSL: helper for peerport 58450 is pid 20949:
26/04/2019 10:56:19 connect_tcp: trying: 127.0.0.1 20000
26/04/2019 10:56:20 check_vnc_tls_mode: waited: 1.419587 / 1.40 input:
(future) RFB Handshake
26/04/2019 10:56:20 check_vnc_tls_mode: version: 3.8
26/04/2019 10:56:20 SSL: ssl_helper[20949]: exit case 2 (ssl_init failed)
26/04/2019 10:56:20 SSL: accept_openssl: cookie from ssl_helper[20949]
FAILED. 0
On guacamole side:
Apr 26 10:58:32 guacamole guacd[27115]: VNC server supports protocol version
3.8 (viewer 3.8)
Apr 26 10:58:32 guacamole guacd[27115]: We have 1 security types to read
Apr 26 10:58:32 guacamole guacd: guacd[27115]: ERROR:#011Unable to connect
to VNC server.
Apr 26 10:58:32 guacamole guacd[27115]: 0) Received security type 19
Apr 26 10:58:32 guacamole guacd[27115]: Unknown authentication scheme from
VNC server: 19
Apr 26 10:58:32 guacamole guacd[27115]: Unable to connect to VNC server.
Apr 26 10:58:32 guacamole guacd[27115]: User
"@d820419b-18c0-4c77-8ead-50eeb919a0b1" disconnected (0 users remain)
And I tried another vncviewer (ssvnc). It retriver and save the cert and
seem to use ECDHE-RSA-AES256-GCM-SHA384 cipher.
Thanks for you help!
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Connect to VNC server with SSL
Posted by Dmitry Katsubo <dm...@mail.ru>.
On 2019-04-25 11:08, Idhren wrote:
> what ? weird ! I had to edit my post because the "raw" tag didn't work ...
> Anyways, without any encoding then:
>
> Catalina:
>
> 24/04/2019 14:51:32 Using Anonymous Diffie-Hellman mode.
> 24/04/2019 14:51:32 loaded Diffie Hellman 1024 bits, 0.000s
> 24/04/2019 14:51:32 SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
Idhren,
It looks that the server cannot agree with the client on what cipher to use. Check that you have right certificate for Diffie-Hellman (check issue#2572 <https://github.com/openssl/openssl/issues/2572>), and / or reconfigure the server/client so that they use same set of ciphers. To list the ciphers that server supports you can use the following command:
# nmap --script ssl-enum-ciphers -p 20000 127.0.0.1
Starting Nmap 6.47 ( http://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ...
| TLSv1.1:
| ...
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
--
With best regards,
Dmitry
Re: Connect to VNC server with SSL
Posted by Idhren <ro...@labri.fr>.
what ? weird ! I had to edit my post because the "raw" tag didn't work ...
Anyways, without any encoding then:
Catalina:
Apr 24 14:51:32 guacamole guacd[4199]: VNC server supports protocol version
3.8 (viewer 3.8)
Apr 24 14:51:32 guacamole guacd[4199]: We have 2 security types to read
Apr 24 14:51:32 guacamole guacd[4199]: 0) Received security type 19
Apr 24 14:51:32 guacamole guacd[4199]: 1) Received security type 18
Apr 24 14:51:32 guacamole guacd[4199]: Selecting security type 18 (1/2 in
the list)
Apr 24 14:51:32 guacamole guacd[4199]: Selected Security Scheme 18
Apr 24 14:51:32 guacamole guacd[4199]: GnuTLS initialized.
Apr 24 14:51:32 guacamole guacd[4199]: TLS session initialized.
Apr 24 14:51:32 guacamole guacd[4199]: TLS anonymous credential created.
Apr 24 14:51:32 guacamole guacd[4199]: TLS handshake blocking.
Apr 24 14:51:33 guacamole guacd[4199]: TLS handshake failed: A TLS fatal
alert has been received..
Apr 24 14:51:33 guacamole guacd[4199]: Unable to connect to VNC server.
Apr 24 14:51:33 guacamole guacd: guacd[4199]: ERROR:#011Unable to connect to
VNC server.
Apr 24 14:51:33 guacamole guacd[4199]: User
"@617e1dce-77b9-43c8-8e23-7f95e6d18cd9" disconnected (0 users remain)
Apr 24 14:51:33 guacamole guacd: guacd[4199]: INFO:#011User
"@617e1dce-77b9-43c8-8e23-7f95e6d18cd9" disconnected (0 users remain)
Apr 24 14:51:33 guacamole guacd: guacd[4199]: INFO:#011Last user of
connection "$09a97835-6019-42ed-b52a-e21a3bbb7e20" disconnected
Apr 24 14:51:33 guacamole guacd[4199]: Last user of connection
"$09a97835-6019-42ed-b52a-e21a3bbb7e20" disconnected
Apr 24 14:51:34 guacamole guacd[3678]: Connection
"$09a97835-6019-42ed-b52a-e21a3bbb7e20" removed.
Apr 24 14:51:34 guacamole guacd: guacd[3678]: INFO:#011Connection
"$09a97835-6019-42ed-b52a-e21a3bbb7e20" removed.
x11vnc Server (-ssl -passwd as option):
24/04/2019 14:51:31 SSL: accept_openssl(OPENSSL_VNC)
24/04/2019 14:51:31 SSL: spawning helper process to handle:
147.210.8.245:56298
24/04/2019 14:51:31 SSL: helper for peerport 56298 is pid 16751:
24/04/2019 14:51:31 connect_tcp: trying: 127.0.0.1 20000
24/04/2019 14:51:32 check_vnc_tls_mode: waited: 1.414210 / 1.40 input:
(future) RFB Handshake
24/04/2019 14:51:32 check_vnc_tls_mode: version: 3.8
24/04/2019 14:51:32 check_vnc_tls_mode: reply: 18 (ANONTLS)
24/04/2019 14:51:32 Using Anonymous Diffie-Hellman mode.
24/04/2019 14:51:32 WARNING: Anonymous Diffie-Hellman uses encryption but is
24/04/2019 14:51:32 WARNING: susceptible to a Man-In-The-Middle attack.
24/04/2019 14:51:32 loaded Diffie Hellman 1024 bits, 0.000s
24/04/2019 14:51:32 SSL: ssl_init[16751]: 11/11 initialization timeout: 20
secs.
24/04/2019 14:51:32 SSL: ssl_helper[16751]: SSL_accept() *FATAL: -1 SSL
FAILED
24/04/2019 14:51:32 SSL: error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher
24/04/2019 14:51:32 SSL: ssl_helper[16751]: Proto: unknown
24/04/2019 14:51:32 SSL: ssl_helper[16751]: exit case 2 (ssl_init failed)
24/04/2019 14:51:32 SSL: accept_openssl: cookie from ssl_helper[16751]
FAILED. 0
Thanks !
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Connect to VNC server with SSL
Posted by Kamal Ezzaki <ka...@gmail.com>.
hi idhren,
you forget to put the output of your log files