Home | History | Annotate | only in /external/libvncserver/webclients/java-applet/ssl
Up to higher level directory
NameDateSize
index.vnc06-Dec-2017892
Makefile.am06-Dec-2017182
onetimekey06-Dec-20171.6K
proxy.vnc06-Dec-20172.5K
README06-Dec-201710.6K
SignedUltraViewerSSL.jar06-Dec-2017110.5K
SignedVncViewer.jar06-Dec-201787.1K
ss_vncviewer06-Dec-201792.7K
tightvnc-1.3dev7_javasrc-vncviewer-cursor-colors+no-tab-traversal.patch06-Dec-20173.5K
tightvnc-1.3dev7_javasrc-vncviewer-ssl.patch06-Dec-201774.8K
ultra.vnc06-Dec-2017981
ultraproxy.vnc06-Dec-2017996
ultrasigned.vnc06-Dec-2017987
UltraViewerSSL.jar06-Dec-2017107.5K
ultravnc-102-JavaViewer-ssl-etc.patch06-Dec-2017158.2K
VncViewer.jar06-Dec-201784.2K

README

      1 This directory contains a patched Java applet VNC viewer that is SSL
      2 enabled.
      3 
      4 The patches in the *.patch files are relative to the source tarball:
      5 
      6 	tightvnc-1.3dev7_javasrc.tar.gz  
      7 
      8 currently (4/06) available here:
      9 
     10    http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
     11 
     12 It also includes some simple patches to:
     13 
     14 	- fix richcursor colors
     15 
     16 	- make the Java Applet cursor (not the cursor drawn to the canvas
     17 	  framebuffer) invisible when it is inside the canvas.
     18 
     19 	- allow Tab (and some other) keystrokes to be sent to the vnc
     20 	  server instead of doing widget traversal.
     21 
     22 
     23 This SSL applet should work with any VNC viewer that has an SSL tunnel in
     24 front of it.  It has been tested on x11vnc and using the stunnel tunnel
     25 to other VNC servers.
     26 
     27 By default this Vnc Viewer will only do SSL.  To do unencrypted traffic
     28 see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
     29 
     30 Proxies: they are a general problem with java socket applets (a socket
     31 connection does not go through the proxy).  See the info in the proxy.vnc
     32 file for a workaround.  It uses SignedVncViewer.jar which is simply
     33 a signed version of VncViewer.jar.  The basic idea is the user clicks
     34 "Yes" to trust the applet and then it can connect directly to the proxy
     35 and issue a CONNECT request.
     36 
     37 This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
     38 Java plugin.  It may not work on older releases or different vendor VM's.
     39 Send full Java Console output for failures.
     40 
     41 ---------------------------------------------------------------
     42 Tips:
     43 
     44 When doing single-port proxy connections (e.g. both VNC and HTTPS
     45 thru port 5900) it helps to move through the 'do you trust this site'
     46 dialogs quickly.   x11vnc has to wait to see if the traffic is VNC or
     47 HTTP and this can cause timeouts if you don't move thru them quickly.
     48 
     49 You may have to restart your browser completely if it gets into a
     50 weird state.  For one case we saw the JVM requesting VncViewer.class
     51 even when no such file exists.
     52 
     53 
     54 ---------------------------------------------------------------
     55 Extras:
     56 
     57 ss_vncviewer (not Java):
     58 
     59         Wrapper script for native VNC viewer to connect to x11vnc in
     60         SSL mode.  Script launches stunnel(8) and then connects to it
     61         via localhost which in turn is then redirected to x11vnc via an
     62         SSL tunnel.  stunnel(8) must be installed and available in PATH.
     63 
     64 
     65 Running Java SSL VncViewer from the command line:
     66 
     67 	From this directory:
     68 
     69 	java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
     70 
     71 	substitute <thehost> and <theport> with the actual values.
     72 	You can add any other parameters, e.g.: ignoreProxy yes
     73 
     74 ---------------------------------------------------------------
     75 UltraVNC:
     76 
     77 The UltraVNC java viewer has also been patched to support SSL.  Various
     78 bugs in the UltraVNC java viewer were also fixed.  This viewer can be
     79 useful because is support UltraVNC filetransfer, and so it works on
     80 Unix, etc.
     81 
     82 UltraViewerSSL.jar
     83 SignedUltraViewerSSL.jar
     84 ultra.vnc
     85 ultraproxy.vnc
     86 ultravnc-102-JavaViewer-ssl-etc.patch
     87 
     88 ---------------------------------------------------------------
     89 Applet Parameters:
     90 
     91 Some additional applet parameters can be set via the URL, e.g.
     92 
     93 	http://host:5800/?param=value
     94 	http://host:5800/ultra.vnc?param=value
     95 	https://host:5900/ultra.vnc?param=value
     96 
     97 etc.  If running java from command line as show above, it comes
     98 in as java ... VncViewer param value ... 
     99 
    100 There is a limitation with libvncserver that param and value can
    101 only be alphanumeric, underscore, "+" (for space), or "."
    102 
    103 We have added some applet parameters to the stock VNC java
    104 viewers.  Here are the applet parameters:
    105 
    106 Both TightVNC and UltraVNC Java viewers:
    107 
    108   HOST
    109 	string, default: none.
    110 	The Hostname to connect to.
    111 	
    112   PORT
    113 	number, default: 0
    114 	The VNC server port to connect to.
    115 
    116   Open New Window
    117 	yes/no, default: no
    118 	Run applet in separate frame.
    119 
    120   Show Controls
    121 	yes/no, default: yes
    122 	Show Controls button panel.
    123 
    124   Show Offline Desktop
    125 	yes/no, default: no
    126 	Do we continue showing desktop on remote disconnect?
    127 
    128   Defer screen updates
    129 	number, default: 20
    130 	Milliseconds delay
    131 
    132   Defer cursor updates
    133 	number, default: 10
    134 	Milliseconds delay
    135 
    136   Defer update requests
    137 	number, default: 50
    138 	Milliseconds delay
    139 
    140   PASSWORD
    141 	string, default: none
    142 	VNC session password in plain text.
    143 
    144   ENCPASSWORD
    145 	string, default: none
    146 	VNC session password in encrypted in DES with KNOWN FIXED
    147 	key.  It is a hex string.  This is like the ~/.vnc/passwd format.
    148   
    149   
    150   The following are added by x11vnc and/or ssvnc project
    151   
    152   VNCSERVERPORT
    153 	number, default: 0
    154 	Like PORT, but if there is a firewall this is the Actual VNC
    155 	server port.  PORT might be a redir port on the firewall.
    156 
    157   DisableSSL
    158 	yes/no, default: no
    159 	Do unencrypted connection, no SSL. 
    160 
    161   httpsPort
    162 	number, default: none
    163 	When checking for proxy, use this at the url port number.
    164 
    165   CONNECT
    166 	string, default: none
    167 	Sets to host:port for the CONNECT line to a Web proxy. 
    168 	The Web proxy should connect us to it.
    169 
    170   GET
    171 	yes/no, default: no
    172 	Set to do a special HTTP GET (/request.https.vnc.connection)
    173 	to the vnc server that will cause it to switch to VNC instead.
    174 	This is to speedup/make more robust, the single port HTTPS and VNC
    175 	mode of x11vnc (e.g. both services thru port 5900, etc) 
    176 	
    177   urlPrefix
    178 	string, default: none
    179 	set to a string that will be prefixed to all URL's when contacting
    180 	the VNC server.  Idea is a special proxy will use this to indicate
    181 	internal hostname, etc.
    182 
    183   oneTimeKey
    184 	string, default: none
    185 	set a special hex "key" to correspond to an SSL X.509 cert+key.
    186 	See the 'onetimekey' helper script.  Can also be PROMPT to prompt
    187 	the user to paste the hex key string in.
    188 
    189 	This provides a Client-Side cert+key that the client will use to
    190 	authenticate itself by SSL To the VNC Server.
    191 
    192 	This is to try to work around the problem that the Java applet
    193 	cannot keep an SSL keystore on disk, etc.  E.g. if they log
    194 	into an HTTPS website via password they are authenticated and
    195 	encrypted, then the website can safely put oneTimeKey=... on the
    196 	URL.  The Vncviewer authenticates the VNC server with this key.
    197 
    198 	Note that there is currently a problem in that if x11vnc requires
    199 	Client Certificates the user cannot download the index.vnc HTML
    200 	and VncViewer.jar from the same x11vnc.  Those need to come from
    201 	a different x11vnc or from a web server.
    202 
    203 	Note that the HTTPS website can also put the VNC Password
    204 	(e.g. a temporary/one-time one) in the parameter PASSWORD.
    205 	The Java Applet will automatically supply this VNC password
    206 	instead of prompting.
    207 
    208   serverCert
    209 	string, default: none
    210 	set a special hex "cert" to correspond to an SSL X.509 cert
    211 	See the 'onetimekey -certonly' helper script.
    212 
    213 	This provides a Server-Side cert that the client will authenticate
    214 	the VNC Server against by SSL.
    215 
    216 	This is to try to work around the problem that the Java applet
    217 	cannot keep an SSL keystore on disk, etc.  E.g. if they log
    218 	into an HTTPS website via password they are authenticated and
    219 	encrypted, then the website can safely put serverCert=... on the
    220 	URL.
    221 
    222 	Of course the VNC Server is sending this string to the Java
    223 	Applet, so this is only reasonable security if the VNC Viewer
    224 	already trusts the HTTPS retrieval of the URL + serverCert param
    225 	that it gets.  This should be done over HTTPS not HTTP.
    226 
    227   proxyHost
    228 	string, default: none
    229 	Do not try to guess the proxy's hostname, use the value in
    230 	proxyHost.  Does not imply forceProxy (below.)
    231 
    232   proxyPort
    233 	string, default: none
    234 	Do not try to guess the proxy's port number, use the value in
    235 	proxyPort.  Does not imply forceProxy (below.)
    236 
    237   forceProxy
    238 	yes/no, default: no
    239 	Assume there is a proxy and force its use.
    240 
    241 	If a string other than "yes" or "no" is given, it implies "yes"
    242 	and uses the string for proxyHost and proxyPort (see above).
    243 	In this case the string must be of the form "hostname+port".
    244 	Note that it is "+" and not ":" before the port number.
    245 
    246   ignoreProxy
    247 	yes/no, default: no
    248 	Don't check for a proxy, assume there is none.
    249 
    250   trustAllVncCerts
    251 	yes/no, default: no
    252 	Automatically trust any cert received from the VNC server
    253 	(obviously this could be dangerous and lead to man in the
    254 	middle attack).  Do not ask the user to verify any of these
    255 	certs from the VNC server.
    256 
    257   trustUrlVncCert
    258 	yes/no, default: no
    259 	Automatically trust any cert that the web browsers has accepted.
    260 	E.g. the user said "Yes" or "Continue" to a web browser dialog
    261 	regarding a certificate.  If we get the same cert (chain) from
    262 	the VNC server we trust it without prompting the user.
    263 
    264   debugCerts
    265 	yes/no, default: no
    266 	Print out every cert in the Server, TrustUrl, TrustAll chains.
    267 
    268 
    269 TightVNC Java viewer only:
    270 
    271   Offer Relogin
    272 	yes/no, default: yes
    273 	"Offer Relogin" set to "No" disables "Login again" 
    274 
    275   SocketFactory
    276 	string, default: none
    277 	set Java Socket class factory.
    278 
    279 UltraVNC Java viewer only:
    280 
    281   None.
    282 
    283   The following are added by x11vnc and/or ssvnc project
    284   
    285   ftpDropDown
    286 	string, default: none
    287 	Sets the file transfer "drives" dropdown to the "." separated
    288 	list.  Use "+" for space. The default is
    289 
    290 		My+Documents.Desktop.Home
    291 
    292 	for 3 entries in the dropdown in addition to the "drives"
    293 	(e.g. C:\)  These items should be expanded properly by the VNC
    294 	Server.  x11vnc will prepend $HOME to them, which is normally
    295 	what one wants.  To include a "/" use "_2F_".  Another example:
    296 
    297 		Home.Desktop.bin_2F_linux
    298 
    299 	If an item is prefixed with "TOP_" then the item is inserted at
    300 	the top of the drop down rather than being appended to the end.
    301 	E.g. to try to initially load the user homedir instead of /:
    302 
    303 		TOP_Home.My+Documents.Desktop
    304 
    305 	If ftpDropDown is set to the empty string, "", then no special
    306 	locations, [Desktop] etc., are placed in the drop down.  Only the
    307 	ultravnc "drives" will appear.
    308 
    309   ftpOnly
    310 	yes/no, default: no
    311 	The VNC viewer only shows the filetransfer panel, no desktop
    312 	is displayed.
    313 
    314   graftFtp
    315 	yes/no, default: no
    316 	As ftpOnly, the VNC viewer only shows the filetransfer panel,
    317 	no desktop is displayed, however it is "grafted" onto an existing
    318 	SSVNC unix vncviewer.  The special SSVNC vncviewer merges the two
    319 	channels.
    320 
    321   dsmActive
    322 	yes/no, default: no
    323 	Special usage mode with the SSVNC unix vncviewer.  The UltraVNC
    324 	DSM encryption is active.  Foolishly, UltraVNC DSM encryption
    325 	*MODIFIES* the VNC protocol when active (it is not a pure tunnel).
    326 	This option indicates to modify the VNC protocol to make this work. 
    327 	Usually only used with graftFtp and SSVNC unix vncviewer.
    328 
    329   delayAuthPanel
    330 	yes/no, default: no
    331 	This is another special usage mode with the SSVNC unix vncviewer.
    332 	A login panel is delayed (not shown at startup.)  Could be useful
    333 	for non SSVNC usage too.
    334 
    335   ignoreMSLogonCheck
    336 	yes/no, default: no
    337 	Similar to delayAuthPanel, do not put up a popup asking for
    338 	Windows username, etc.
    339