1

In tigervnc, how to add and deploy X509 certificate TLS encryption in linux environment?

owenlin717
  • 13
  • 6
  • @AbdullahIbnFulan That seems pretty comprehensive... why not put it in as an answer? – Peregrino69 Sep 26 '21 at 14:02
  • Can you be more specific please? I also generated private key in PEM format, and create a signing certificate in PEM format? Edit the configuration files, and copy the certificate to the client. But got the error of "Authentiction failure:error loading x509 certificate or key". And how to set GnuTLSPriority? – owenlin717 Sep 26 '21 at 14:47

1 Answers1

1

From x0vncserver man page

-SecurityTypes sec-types
    Specify which security scheme to use for incoming connections. Valid values are a comma separated list of None, VncAuth, Plain, TLSNone, TLSVnc, TLSPlain, X509None, X509Vnc and X509Plain. Default is VncAuth,TLSVnc.

−X509Cert path

Path to a X509 certificate in PEM format to be used for all X509 based security types (X509None, X509Vnc, etc.).

−X509Key path

Private key counter part to the certificate given in X509Cert. Must also be in PEM format.

−GnuTLSPriority priority

GnuTLS priority string that controls the TLS sessionâs handshake algorithms. See the GnuTLS manual for possible values. Default is NORMAL.

So basically you have to set -SecurityTypes X509... and then provide path of your cert and private key in -X509Cert and -X509Key. The -GnuTLSPriority set the GnuTLS priority.

The possible GnuTLS priority is exhaustive as there are lot of cipher suits. Read from GnuTLS docs

Apology :I am not sure if this is the right answer because it is untested, and I never used X509 certs for VNC, (well, my web browsers read them for me). It looks too clumsy in comment.

Abdullah Ibn Fulan
  • 1,190
  • 4
  • 19
  • I still got the error of "Authentiction failure:error loading x509 certificate or key", following is my custom user configuration file, pls help to check session=gnome geometry=2000x1200 alwaysshared securitytypes=X509Vnc,VncAuth X509Key=/root/.vnc/ssl/ca.private.rsa.4096.key.pem X509Cert=/root/.vnc/ssl/ca.sign.rsa.4096.key.pem GnuTLSPriority=NORMAL – owenlin717 Sep 27 '21 at 03:52
  • Is the user root user, otherwise how could the user read from `/root`? – Abdullah Ibn Fulan Sep 28 '21 at 01:44
  • 1
    It's an overlook. It works now. I use ordinary user to do all the steps and worked, the problem is when I switched users, privilege issues happens. Thank you very much for your help. – owenlin717 Sep 28 '21 at 08:38