1This directory contains a patched Java applet VNC viewer that is SSL 2enabled. 3 4The patches in the *.patch files are relative to the source tarball: 5 6 tightvnc-1.3dev7_javasrc.tar.gz 7 8currently (4/06) available here: 9 10 http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download 11 12It also includes some simple patches to: 13 14 - fix richcursor colors 15 16 - make the Java Applet cursor (not the cursor drawn to the canvas 17 framebuffer) invisible when it is inside the canvas. 18 19 - allow Tab (and some other) keystrokes to be sent to the vnc 20 server instead of doing widget traversal. 21 22 23This SSL applet should work with any VNC viewer that has an SSL tunnel in 24front of it. It has been tested on x11vnc and using the stunnel tunnel 25to other VNC servers. 26 27By default this Vnc Viewer will only do SSL. To do unencrypted traffic 28see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc). 29 30Proxies: they are a general problem with java socket applets (a socket 31connection does not go through the proxy). See the info in the proxy.vnc 32file for a workaround. It uses SignedVncViewer.jar which is simply 33a signed version of VncViewer.jar. The basic idea is the user clicks 34"Yes" to trust the applet and then it can connect directly to the proxy 35and issue a CONNECT request. 36 37This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun 38Java plugin. It may not work on older releases or different vendor VM's. 39Send full Java Console output for failures. 40 41--------------------------------------------------------------- 42Tips: 43 44When doing single-port proxy connections (e.g. both VNC and HTTPS 45thru port 5900) it helps to move through the 'do you trust this site' 46dialogs quickly. x11vnc has to wait to see if the traffic is VNC or 47HTTP and this can cause timeouts if you don't move thru them quickly. 48 49You may have to restart your browser completely if it gets into a 50weird state. For one case we saw the JVM requesting VncViewer.class 51even when no such file exists. 52 53 54--------------------------------------------------------------- 55Extras: 56 57ss_vncviewer (not Java): 58 59 Wrapper script for native VNC viewer to connect to x11vnc in 60 SSL mode. Script launches stunnel(8) and then connects to it 61 via localhost which in turn is then redirected to x11vnc via an 62 SSL tunnel. stunnel(8) must be installed and available in PATH. 63 64 65Running Java SSL VncViewer from the command line: 66 67 From this directory: 68 69 java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport> 70 71 substitute <thehost> and <theport> with the actual values. 72 You can add any other parameters, e.g.: ignoreProxy yes 73 74--------------------------------------------------------------- 75UltraVNC: 76 77The UltraVNC java viewer has also been patched to support SSL. Various 78bugs in the UltraVNC java viewer were also fixed. This viewer can be 79useful because is support UltraVNC filetransfer, and so it works on 80Unix, etc. 81 82UltraViewerSSL.jar 83SignedUltraViewerSSL.jar 84ultra.vnc 85ultraproxy.vnc 86ultravnc-102-JavaViewer-ssl-etc.patch 87 88--------------------------------------------------------------- 89Applet Parameters: 90 91Some additional applet parameters can be set via the URL, e.g. 92 93 http://host:5800/?param=value 94 http://host:5800/ultra.vnc?param=value 95 https://host:5900/ultra.vnc?param=value 96 97etc. If running java from command line as show above, it comes 98in as java ... VncViewer param value ... 99 100There is a limitation with libvncserver that param and value can 101only be alphanumeric, underscore, "+" (for space), or "." 102 103We have added some applet parameters to the stock VNC java 104viewers. Here are the applet parameters: 105 106Both TightVNC and UltraVNC Java viewers: 107 108 HOST 109 string, default: none. 110 The Hostname to connect to. 111 112 PORT 113 number, default: 0 114 The VNC server port to connect to. 115 116 Open New Window 117 yes/no, default: no 118 Run applet in separate frame. 119 120 Show Controls 121 yes/no, default: yes 122 Show Controls button panel. 123 124 Show Offline Desktop 125 yes/no, default: no 126 Do we continue showing desktop on remote disconnect? 127 128 Defer screen updates 129 number, default: 20 130 Milliseconds delay 131 132 Defer cursor updates 133 number, default: 10 134 Milliseconds delay 135 136 Defer update requests 137 number, default: 50 138 Milliseconds delay 139 140 PASSWORD 141 string, default: none 142 VNC session password in plain text. 143 144 ENCPASSWORD 145 string, default: none 146 VNC session password in encrypted in DES with KNOWN FIXED 147 key. It is a hex string. This is like the ~/.vnc/passwd format. 148 149 150 The following are added by x11vnc and/or ssvnc project 151 152 VNCSERVERPORT 153 number, default: 0 154 Like PORT, but if there is a firewall this is the Actual VNC 155 server port. PORT might be a redir port on the firewall. 156 157 DisableSSL 158 yes/no, default: no 159 Do unencrypted connection, no SSL. 160 161 httpsPort 162 number, default: none 163 When checking for proxy, use this at the url port number. 164 165 CONNECT 166 string, default: none 167 Sets to host:port for the CONNECT line to a Web proxy. 168 The Web proxy should connect us to it. 169 170 GET 171 yes/no, default: no 172 Set to do a special HTTP GET (/request.https.vnc.connection) 173 to the vnc server that will cause it to switch to VNC instead. 174 This is to speedup/make more robust, the single port HTTPS and VNC 175 mode of x11vnc (e.g. both services thru port 5900, etc) 176 177 urlPrefix 178 string, default: none 179 set to a string that will be prefixed to all URL's when contacting 180 the VNC server. Idea is a special proxy will use this to indicate 181 internal hostname, etc. 182 183 oneTimeKey 184 string, default: none 185 set a special hex "key" to correspond to an SSL X.509 cert+key. 186 See the 'onetimekey' helper script. Can also be PROMPT to prompt 187 the user to paste the hex key string in. 188 189 This provides a Client-Side cert+key that the client will use to 190 authenticate itself by SSL To the VNC Server. 191 192 This is to try to work around the problem that the Java applet 193 cannot keep an SSL keystore on disk, etc. E.g. if they log 194 into an HTTPS website via password they are authenticated and 195 encrypted, then the website can safely put oneTimeKey=... on the 196 URL. The Vncviewer authenticates the VNC server with this key. 197 198 Note that there is currently a problem in that if x11vnc requires 199 Client Certificates the user cannot download the index.vnc HTML 200 and VncViewer.jar from the same x11vnc. Those need to come from 201 a different x11vnc or from a web server. 202 203 Note that the HTTPS website can also put the VNC Password 204 (e.g. a temporary/one-time one) in the parameter PASSWORD. 205 The Java Applet will automatically supply this VNC password 206 instead of prompting. 207 208 serverCert 209 string, default: none 210 set a special hex "cert" to correspond to an SSL X.509 cert 211 See the 'onetimekey -certonly' helper script. 212 213 This provides a Server-Side cert that the client will authenticate 214 the VNC Server against by SSL. 215 216 This is to try to work around the problem that the Java applet 217 cannot keep an SSL keystore on disk, etc. E.g. if they log 218 into an HTTPS website via password they are authenticated and 219 encrypted, then the website can safely put serverCert=... on the 220 URL. 221 222 Of course the VNC Server is sending this string to the Java 223 Applet, so this is only reasonable security if the VNC Viewer 224 already trusts the HTTPS retrieval of the URL + serverCert param 225 that it gets. This should be done over HTTPS not HTTP. 226 227 proxyHost 228 string, default: none 229 Do not try to guess the proxy's hostname, use the value in 230 proxyHost. Does not imply forceProxy (below.) 231 232 proxyPort 233 string, default: none 234 Do not try to guess the proxy's port number, use the value in 235 proxyPort. Does not imply forceProxy (below.) 236 237 forceProxy 238 yes/no, default: no 239 Assume there is a proxy and force its use. 240 241 If a string other than "yes" or "no" is given, it implies "yes" 242 and uses the string for proxyHost and proxyPort (see above). 243 In this case the string must be of the form "hostname+port". 244 Note that it is "+" and not ":" before the port number. 245 246 ignoreProxy 247 yes/no, default: no 248 Don't check for a proxy, assume there is none. 249 250 trustAllVncCerts 251 yes/no, default: no 252 Automatically trust any cert received from the VNC server 253 (obviously this could be dangerous and lead to man in the 254 middle attack). Do not ask the user to verify any of these 255 certs from the VNC server. 256 257 trustUrlVncCert 258 yes/no, default: no 259 Automatically trust any cert that the web browsers has accepted. 260 E.g. the user said "Yes" or "Continue" to a web browser dialog 261 regarding a certificate. If we get the same cert (chain) from 262 the VNC server we trust it without prompting the user. 263 264 debugCerts 265 yes/no, default: no 266 Print out every cert in the Server, TrustUrl, TrustAll chains. 267 268 269TightVNC Java viewer only: 270 271 Offer Relogin 272 yes/no, default: yes 273 "Offer Relogin" set to "No" disables "Login again" 274 275 SocketFactory 276 string, default: none 277 set Java Socket class factory. 278 279UltraVNC Java viewer only: 280 281 None. 282 283 The following are added by x11vnc and/or ssvnc project 284 285 ftpDropDown 286 string, default: none 287 Sets the file transfer "drives" dropdown to the "." separated 288 list. Use "+" for space. The default is 289 290 My+Documents.Desktop.Home 291 292 for 3 entries in the dropdown in addition to the "drives" 293 (e.g. C:\) These items should be expanded properly by the VNC 294 Server. x11vnc will prepend $HOME to them, which is normally 295 what one wants. To include a "/" use "_2F_". Another example: 296 297 Home.Desktop.bin_2F_linux 298 299 If an item is prefixed with "TOP_" then the item is inserted at 300 the top of the drop down rather than being appended to the end. 301 E.g. to try to initially load the user homedir instead of /: 302 303 TOP_Home.My+Documents.Desktop 304 305 If ftpDropDown is set to the empty string, "", then no special 306 locations, [Desktop] etc., are placed in the drop down. Only the 307 ultravnc "drives" will appear. 308 309 ftpOnly 310 yes/no, default: no 311 The VNC viewer only shows the filetransfer panel, no desktop 312 is displayed. 313 314 graftFtp 315 yes/no, default: no 316 As ftpOnly, the VNC viewer only shows the filetransfer panel, 317 no desktop is displayed, however it is "grafted" onto an existing 318 SSVNC unix vncviewer. The special SSVNC vncviewer merges the two 319 channels. 320 321 dsmActive 322 yes/no, default: no 323 Special usage mode with the SSVNC unix vncviewer. The UltraVNC 324 DSM encryption is active. Foolishly, UltraVNC DSM encryption 325 *MODIFIES* the VNC protocol when active (it is not a pure tunnel). 326 This option indicates to modify the VNC protocol to make this work. 327 Usually only used with graftFtp and SSVNC unix vncviewer. 328 329 delayAuthPanel 330 yes/no, default: no 331 This is another special usage mode with the SSVNC unix vncviewer. 332 A login panel is delayed (not shown at startup.) Could be useful 333 for non SSVNC usage too. 334 335 ignoreMSLogonCheck 336 yes/no, default: no 337 Similar to delayAuthPanel, do not put up a popup asking for 338 Windows username, etc. 339