我已经下载了增强型 Tight VNC 查看器 ( http://www.karlrunge.com/x11vnc/ssvnc.html ) 并按照说明将本地机器(运行 Win 7)上的查看器连接到另一台运行 x11vnc 服务器的机器。
远程机器正在运行 ubuntu 16.04 并安装了 x11vnc 服务器 (v0.9.13)。我可以在没有 ssl 选项的情况下连接到它,但是当我使用 SSL 时它会失败。
遵循的步骤
This dialog helps you to create a simple Self-Signed SSL certificate.
On Unix the openssl(1) program must be installed and in $PATH.
On Windows, a copy of the openssl program is provided for convenience.
The resulting certificate files can be used for either:
1) authenticating yourself (VNC Viewer) to a VNC Server
or 2) your verifying the identity of a remote VNC Server.
In either case you will need to safely copy one of the generated key or
certificate files to the remote VNC Server and have the VNC Server use
it. Or you could send it to the system administrator of the VNC Server.
For the purpose of description, assume that the filename selected in the
"Save to file" entry is "vnccert.pem". That file will be generated
by this process and so will the "vnccert.crt" file. "vnccert.pem"
contains both the Private Key and the Public Certificate. "vnccert.crt"
only contains the Public Certificate.
For case 1) you would copy "vnccert.crt" to the VNC Server side and
instruct the server to use it. For x11vnc it would be for example:
x11vnc -sslverify /path/to/vnccert.crt -ssl SAVE ...
(it is also possible to handle many client certs at once in a directory,
see the -sslverify documentation). Then you would use "vnccert.pem"
as the MyCert entry in the SSL Certificates dialog.
For case 2) you would copy "vnccert.pem" to the VNC Server side and
instruct the server to use it. For x11vnc it would be for example:
x11vnc -ssl /path/to/vnccert.pem
Then you would use "vnccert.crt" as the as the ServerCert entry in the
"SSL Certificates" dialog.
Creating the Certificate:
Choose a output filename (ending in .pem) in the "Save to file" entry.
Then fill in the identification information (Country, State or Province,
etc).
The click on "Create" to generate the certificate files.
Encrypting the Private Key: It is a very good idea to encrypt the
Private Key that goes in the "vnccert.pem". The downside is that
whenever that key is used (e.g. starting up x11vnc using it) then
the passphrase will need to be created. If you do not encrypt it and
somebody steals a copy of the "vnccert.pem" file then they can pretend
to be you.
After you have created the certificate files, you must copy and import
either "vnccert.pem" or "vnccert.pem" to the remote VNC Server and
also select the other file in the "SSL Certificates" dialog.
See the description above.
For more information see:
http://www.karlrunge.com/x11vnc/ssl.html
http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-int
The first one describes how to use x11vnc to create Certificate
Authority (CA) certificates in addition to Self-Signed ones.
Tip: if you choose the "Common Name" to be the internet hostname
(e.g. gateway.mydomain.com) that connections will be made to or
from that will avoid many dialogs when connecting mentioning that
the hostname does not match the Common Name.
因此,我已按照选项 1 的步骤进行操作,即向 VNC 服务器验证 VNC 查看器。
使用命令启动服务器
- x11vnc -display :0 -sslverify ~/vnccert2.crt -ssl SAVE
客户端:
在 MyCert 字段中将客户端系统中生成的 pem 文件的路径提供给
查看器(vnccert2.pem 文件)单击连接并选择使用 SSL 选项
将从远程服务器收到的证书保存到 Accepted Certs 目录
服务器上的日志如下
16/07/2018 16:28:34 SSL: accept_openssl(OPENSSL_VNC)
16/07/2018 16:28:34 SSL: spawning helper process to handle: 10.221.49.127:56668
16/07/2018 16:28:34 SSL: helper for peerport 56668 is pid 17094:
16/07/2018 16:28:34 connect_tcp: trying: 127.0.0.1 20000
16/07/2018 16:28:34 check_vnc_tls_mode: waited: 0.000008 / 1.40 input: SSL Handshake
16/07/2018 16:28:34 SSL: ssl_init[17094]: 12/12 initialization timeout: 20 secs.
16/07/2018 16:28:34 SSL: ssl_helper[17094]: SSL_accept() *FATAL: -1 SSL FAILED
16/07/2018 16:28:34 SSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
16/07/2018 16:28:34 SSL: ssl_helper[17094]: Proto: TLSv1
16/07/2018 16:28:34 SSL: ssl_helper[17094]: exit case 2 (ssl_init failed)
16/07/2018 16:28:34 SSL: accept_openssl: cookie from ssl_helper[17094] FAILED. 0
16/07/2018 16:28:39 SSL: accept_openssl(OPENSSL_VNC)
16/07/2018 16:28:39 SSL: spawning helper process to handle: 10.221.49.127:56670
16/07/2018 16:28:39 SSL: helper for peerport 56670 is pid 17095:
16/07/2018 16:28:39 connect_tcp: trying: 127.0.0.1 20000
16/07/2018 16:28:39 check_vnc_tls_mode: waited: 0.000013 / 1.40 input: SSL Handshake
16/07/2018 16:28:39 SSL: ssl_init[17095]: 12/12 initialization timeout: 20 secs.
16/07/2018 16:28:39 SSL: ssl_helper[17095]: SSL_accept() *FATAL: -1 SSL FAILED
16/07/2018 16:28:39 SSL: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
16/07/2018 16:28:39 SSL: ssl_helper[17095]: Proto: nosession
16/07/2018 16:28:39 SSL: ssl_helper[17095]: exit case 2 (ssl_init failed)
16/07/2018 16:28:39 SSL: accept_openssl: cookie from ssl_helper[17095] FAILED. 0
我不确定我哪里出错了,因为客户端的证书存在,但服务器仍然抛出消息 “ssl3_get_client_certificate:peer没有返回证书”,此后它又抛出另一个错误“ssl3_get_client_hello:错误的版本号”