• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..--

Makefile.amD22-Nov-2023182 31

READMED22-Nov-202310.6 KiB339249

SignedUltraViewerSSL.jarD22-Nov-2023110.5 KiB

SignedVncViewer.jarD22-Nov-202387.1 KiB

UltraViewerSSL.jarD22-Nov-2023107.5 KiB

VncViewer.jarD22-Nov-202384.2 KiB

index.vncD22-Nov-2023892 2713

onetimekeyD22-Nov-20231.6 KiB6632

proxy.vncD22-Nov-20232.5 KiB7413

ss_vncviewerD22-Nov-202392.7 KiB3,6773,139

tightvnc-1.3dev7_javasrc-vncviewer-cursor-colors+no-tab-traversal.patchD22-Nov-20233.5 KiB112104

tightvnc-1.3dev7_javasrc-vncviewer-ssl.patchD22-Nov-202374.8 KiB2,6012,563

ultra.vncD22-Nov-2023981 2915

ultraproxy.vncD22-Nov-2023996 2915

ultrasigned.vncD22-Nov-2023987 2915

ultravnc-102-JavaViewer-ssl-etc.patchD22-Nov-2023158.2 KiB5,4955,343

README

1This directory contains a patched Java applet VNC viewer that is SSL
2enabled.
3
4The patches in the *.patch files are relative to the source tarball:
5
6	tightvnc-1.3dev7_javasrc.tar.gz
7
8currently (4/06) available here:
9
10   http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
11
12It also includes some simple patches to:
13
14	- fix richcursor colors
15
16	- make the Java Applet cursor (not the cursor drawn to the canvas
17	  framebuffer) invisible when it is inside the canvas.
18
19	- allow Tab (and some other) keystrokes to be sent to the vnc
20	  server instead of doing widget traversal.
21
22
23This SSL applet should work with any VNC viewer that has an SSL tunnel in
24front of it.  It has been tested on x11vnc and using the stunnel tunnel
25to other VNC servers.
26
27By default this Vnc Viewer will only do SSL.  To do unencrypted traffic
28see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
29
30Proxies: they are a general problem with java socket applets (a socket
31connection does not go through the proxy).  See the info in the proxy.vnc
32file for a workaround.  It uses SignedVncViewer.jar which is simply
33a signed version of VncViewer.jar.  The basic idea is the user clicks
34"Yes" to trust the applet and then it can connect directly to the proxy
35and issue a CONNECT request.
36
37This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
38Java plugin.  It may not work on older releases or different vendor VM's.
39Send full Java Console output for failures.
40
41---------------------------------------------------------------
42Tips:
43
44When doing single-port proxy connections (e.g. both VNC and HTTPS
45thru port 5900) it helps to move through the 'do you trust this site'
46dialogs quickly.   x11vnc has to wait to see if the traffic is VNC or
47HTTP and this can cause timeouts if you don't move thru them quickly.
48
49You may have to restart your browser completely if it gets into a
50weird state.  For one case we saw the JVM requesting VncViewer.class
51even when no such file exists.
52
53
54---------------------------------------------------------------
55Extras:
56
57ss_vncviewer (not Java):
58
59        Wrapper script for native VNC viewer to connect to x11vnc in
60        SSL mode.  Script launches stunnel(8) and then connects to it
61        via localhost which in turn is then redirected to x11vnc via an
62        SSL tunnel.  stunnel(8) must be installed and available in PATH.
63
64
65Running Java SSL VncViewer from the command line:
66
67	From this directory:
68
69	java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
70
71	substitute <thehost> and <theport> with the actual values.
72	You can add any other parameters, e.g.: ignoreProxy yes
73
74---------------------------------------------------------------
75UltraVNC:
76
77The UltraVNC java viewer has also been patched to support SSL.  Various
78bugs in the UltraVNC java viewer were also fixed.  This viewer can be
79useful because is support UltraVNC filetransfer, and so it works on
80Unix, etc.
81
82UltraViewerSSL.jar
83SignedUltraViewerSSL.jar
84ultra.vnc
85ultraproxy.vnc
86ultravnc-102-JavaViewer-ssl-etc.patch
87
88---------------------------------------------------------------
89Applet Parameters:
90
91Some additional applet parameters can be set via the URL, e.g.
92
93	http://host:5800/?param=value
94	http://host:5800/ultra.vnc?param=value
95	https://host:5900/ultra.vnc?param=value
96
97etc.  If running java from command line as show above, it comes
98in as java ... VncViewer param value ...
99
100There is a limitation with libvncserver that param and value can
101only be alphanumeric, underscore, "+" (for space), or "."
102
103We have added some applet parameters to the stock VNC java
104viewers.  Here are the applet parameters:
105
106Both TightVNC and UltraVNC Java viewers:
107
108  HOST
109	string, default: none.
110	The Hostname to connect to.
111
112  PORT
113	number, default: 0
114	The VNC server port to connect to.
115
116  Open New Window
117	yes/no, default: no
118	Run applet in separate frame.
119
120  Show Controls
121	yes/no, default: yes
122	Show Controls button panel.
123
124  Show Offline Desktop
125	yes/no, default: no
126	Do we continue showing desktop on remote disconnect?
127
128  Defer screen updates
129	number, default: 20
130	Milliseconds delay
131
132  Defer cursor updates
133	number, default: 10
134	Milliseconds delay
135
136  Defer update requests
137	number, default: 50
138	Milliseconds delay
139
140  PASSWORD
141	string, default: none
142	VNC session password in plain text.
143
144  ENCPASSWORD
145	string, default: none
146	VNC session password in encrypted in DES with KNOWN FIXED
147	key.  It is a hex string.  This is like the ~/.vnc/passwd format.
148
149
150  The following are added by x11vnc and/or ssvnc project
151
152  VNCSERVERPORT
153	number, default: 0
154	Like PORT, but if there is a firewall this is the Actual VNC
155	server port.  PORT might be a redir port on the firewall.
156
157  DisableSSL
158	yes/no, default: no
159	Do unencrypted connection, no SSL.
160
161  httpsPort
162	number, default: none
163	When checking for proxy, use this at the url port number.
164
165  CONNECT
166	string, default: none
167	Sets to host:port for the CONNECT line to a Web proxy.
168	The Web proxy should connect us to it.
169
170  GET
171	yes/no, default: no
172	Set to do a special HTTP GET (/request.https.vnc.connection)
173	to the vnc server that will cause it to switch to VNC instead.
174	This is to speedup/make more robust, the single port HTTPS and VNC
175	mode of x11vnc (e.g. both services thru port 5900, etc)
176
177  urlPrefix
178	string, default: none
179	set to a string that will be prefixed to all URL's when contacting
180	the VNC server.  Idea is a special proxy will use this to indicate
181	internal hostname, etc.
182
183  oneTimeKey
184	string, default: none
185	set a special hex "key" to correspond to an SSL X.509 cert+key.
186	See the 'onetimekey' helper script.  Can also be PROMPT to prompt
187	the user to paste the hex key string in.
188
189	This provides a Client-Side cert+key that the client will use to
190	authenticate itself by SSL To the VNC Server.
191
192	This is to try to work around the problem that the Java applet
193	cannot keep an SSL keystore on disk, etc.  E.g. if they log
194	into an HTTPS website via password they are authenticated and
195	encrypted, then the website can safely put oneTimeKey=... on the
196	URL.  The Vncviewer authenticates the VNC server with this key.
197
198	Note that there is currently a problem in that if x11vnc requires
199	Client Certificates the user cannot download the index.vnc HTML
200	and VncViewer.jar from the same x11vnc.  Those need to come from
201	a different x11vnc or from a web server.
202
203	Note that the HTTPS website can also put the VNC Password
204	(e.g. a temporary/one-time one) in the parameter PASSWORD.
205	The Java Applet will automatically supply this VNC password
206	instead of prompting.
207
208  serverCert
209	string, default: none
210	set a special hex "cert" to correspond to an SSL X.509 cert
211	See the 'onetimekey -certonly' helper script.
212
213	This provides a Server-Side cert that the client will authenticate
214	the VNC Server against by SSL.
215
216	This is to try to work around the problem that the Java applet
217	cannot keep an SSL keystore on disk, etc.  E.g. if they log
218	into an HTTPS website via password they are authenticated and
219	encrypted, then the website can safely put serverCert=... on the
220	URL.
221
222	Of course the VNC Server is sending this string to the Java
223	Applet, so this is only reasonable security if the VNC Viewer
224	already trusts the HTTPS retrieval of the URL + serverCert param
225	that it gets.  This should be done over HTTPS not HTTP.
226
227  proxyHost
228	string, default: none
229	Do not try to guess the proxy's hostname, use the value in
230	proxyHost.  Does not imply forceProxy (below.)
231
232  proxyPort
233	string, default: none
234	Do not try to guess the proxy's port number, use the value in
235	proxyPort.  Does not imply forceProxy (below.)
236
237  forceProxy
238	yes/no, default: no
239	Assume there is a proxy and force its use.
240
241	If a string other than "yes" or "no" is given, it implies "yes"
242	and uses the string for proxyHost and proxyPort (see above).
243	In this case the string must be of the form "hostname+port".
244	Note that it is "+" and not ":" before the port number.
245
246  ignoreProxy
247	yes/no, default: no
248	Don't check for a proxy, assume there is none.
249
250  trustAllVncCerts
251	yes/no, default: no
252	Automatically trust any cert received from the VNC server
253	(obviously this could be dangerous and lead to man in the
254	middle attack).  Do not ask the user to verify any of these
255	certs from the VNC server.
256
257  trustUrlVncCert
258	yes/no, default: no
259	Automatically trust any cert that the web browsers has accepted.
260	E.g. the user said "Yes" or "Continue" to a web browser dialog
261	regarding a certificate.  If we get the same cert (chain) from
262	the VNC server we trust it without prompting the user.
263
264  debugCerts
265	yes/no, default: no
266	Print out every cert in the Server, TrustUrl, TrustAll chains.
267
268
269TightVNC Java viewer only:
270
271  Offer Relogin
272	yes/no, default: yes
273	"Offer Relogin" set to "No" disables "Login again"
274
275  SocketFactory
276	string, default: none
277	set Java Socket class factory.
278
279UltraVNC Java viewer only:
280
281  None.
282
283  The following are added by x11vnc and/or ssvnc project
284
285  ftpDropDown
286	string, default: none
287	Sets the file transfer "drives" dropdown to the "." separated
288	list.  Use "+" for space. The default is
289
290		My+Documents.Desktop.Home
291
292	for 3 entries in the dropdown in addition to the "drives"
293	(e.g. C:\)  These items should be expanded properly by the VNC
294	Server.  x11vnc will prepend $HOME to them, which is normally
295	what one wants.  To include a "/" use "_2F_".  Another example:
296
297		Home.Desktop.bin_2F_linux
298
299	If an item is prefixed with "TOP_" then the item is inserted at
300	the top of the drop down rather than being appended to the end.
301	E.g. to try to initially load the user homedir instead of /:
302
303		TOP_Home.My+Documents.Desktop
304
305	If ftpDropDown is set to the empty string, "", then no special
306	locations, [Desktop] etc., are placed in the drop down.  Only the
307	ultravnc "drives" will appear.
308
309  ftpOnly
310	yes/no, default: no
311	The VNC viewer only shows the filetransfer panel, no desktop
312	is displayed.
313
314  graftFtp
315	yes/no, default: no
316	As ftpOnly, the VNC viewer only shows the filetransfer panel,
317	no desktop is displayed, however it is "grafted" onto an existing
318	SSVNC unix vncviewer.  The special SSVNC vncviewer merges the two
319	channels.
320
321  dsmActive
322	yes/no, default: no
323	Special usage mode with the SSVNC unix vncviewer.  The UltraVNC
324	DSM encryption is active.  Foolishly, UltraVNC DSM encryption
325	*MODIFIES* the VNC protocol when active (it is not a pure tunnel).
326	This option indicates to modify the VNC protocol to make this work.
327	Usually only used with graftFtp and SSVNC unix vncviewer.
328
329  delayAuthPanel
330	yes/no, default: no
331	This is another special usage mode with the SSVNC unix vncviewer.
332	A login panel is delayed (not shown at startup.)  Could be useful
333	for non SSVNC usage too.
334
335  ignoreMSLogonCheck
336	yes/no, default: no
337	Similar to delayAuthPanel, do not put up a popup asking for
338	Windows username, etc.
339