1This directory contains a patched Java applet VNC viewer that is SSL
2enabled.
3
4The patches in the *.patch files are relative to the source tarball:
5
6 tightvnc-1.3dev7_javasrc.tar.gz
7
8currently (4/06) available here:
9
10 http://prdownloads.sourceforge.net/vnc-tight/tightvnc-1.3dev7_javasrc.tar.gz?download
11
12It also includes some simple patches to:
13
14 - fix richcursor colors
15
16 - make the Java Applet cursor (not the cursor drawn to the canvas
17 framebuffer) invisible when it is inside the canvas.
18
19 - allow Tab (and some other) keystrokes to be sent to the vnc
20 server instead of doing widget traversal.
21
22
23This SSL applet should work with any VNC viewer that has an SSL tunnel in
24front of it. It has been tested on x11vnc and using the stunnel tunnel
25to other VNC servers.
26
27By default this Vnc Viewer will only do SSL. To do unencrypted traffic
28see the "DisableSSL" applet parameter (e.g. set it to Yes in index.vnc).
29
30Proxies: they are a general problem with java socket applets (a socket
31connection does not go through the proxy). See the info in the proxy.vnc
32file for a workaround. It uses SignedVncViewer.jar which is simply
33a signed version of VncViewer.jar. The basic idea is the user clicks
34"Yes" to trust the applet and then it can connect directly to the proxy
35and issue a CONNECT request.
36
37This applet has been tested on versions 1.4.2 and 1.5.0 of the Sun
38Java plugin. It may not work on older releases or different vendor VM's.
39Send full Java Console output for failures.
40
41---------------------------------------------------------------
42Tips:
43
44When doing single-port proxy connections (e.g. both VNC and HTTPS
45thru port 5900) it helps to move through the 'do you trust this site'
46dialogs quickly. x11vnc has to wait to see if the traffic is VNC or
47HTTP and this can cause timeouts if you don't move thru them quickly.
48
49You may have to restart your browser completely if it gets into a
50weird state. For one case we saw the JVM requesting VncViewer.class
51even when no such file exists.
52
53
54---------------------------------------------------------------
55Extras:
56
57ss_vncviewer (not Java):
58
59 Wrapper script for native VNC viewer to connect to x11vnc in
60 SSL mode. Script launches stunnel(8) and then connects to it
61 via localhost which in turn is then redirected to x11vnc via an
62 SSL tunnel. stunnel(8) must be installed and available in PATH.
63
64
65Running Java SSL VncViewer from the command line:
66
67 From this directory:
68
69 java -cp ./VncViewer.jar VncViewer HOST <thehost> PORT <theport>
70
71 substitute <thehost> and <theport> with the actual values.
72 You can add any other parameters, e.g.: ignoreProxy yes
73
74---------------------------------------------------------------
75UltraVNC:
76
77The UltraVNC java viewer has also been patched to support SSL. Various
78bugs in the UltraVNC java viewer were also fixed. This viewer can be
79useful because is support UltraVNC filetransfer, and so it works on
80Unix, etc.
81
82UltraViewerSSL.jar
83SignedUltraViewerSSL.jar
84ultra.vnc
85ultraproxy.vnc
86ultravnc-102-JavaViewer-ssl-etc.patch
87
88---------------------------------------------------------------
89Applet Parameters:
90
91Some additional applet parameters can be set via the URL, e.g.
92
93 http://host:5800/?param=value
94 http://host:5800/ultra.vnc?param=value
95 https://host:5900/ultra.vnc?param=value
96
97etc. If running java from command line as show above, it comes
98in as java ... VncViewer param value ...
99
100There is a limitation with libvncserver that param and value can
101only be alphanumeric, underscore, "+" (for space), or "."
102
103We have added some applet parameters to the stock VNC java
104viewers. Here are the applet parameters:
105
106Both TightVNC and UltraVNC Java viewers:
107
108 HOST
109 string, default: none.
110 The Hostname to connect to.
111
112 PORT
113 number, default: 0
114 The VNC server port to connect to.
115
116 Open New Window
117 yes/no, default: no
118 Run applet in separate frame.
119
120 Show Controls
121 yes/no, default: yes
122 Show Controls button panel.
123
124 Show Offline Desktop
125 yes/no, default: no
126 Do we continue showing desktop on remote disconnect?
127
128 Defer screen updates
129 number, default: 20
130 Milliseconds delay
131
132 Defer cursor updates
133 number, default: 10
134 Milliseconds delay
135
136 Defer update requests
137 number, default: 50
138 Milliseconds delay
139
140 PASSWORD
141 string, default: none
142 VNC session password in plain text.
143
144 ENCPASSWORD
145 string, default: none
146 VNC session password in encrypted in DES with KNOWN FIXED
147 key. It is a hex string. This is like the ~/.vnc/passwd format.
148
149
150 The following are added by x11vnc and/or ssvnc project
151
152 VNCSERVERPORT
153 number, default: 0
154 Like PORT, but if there is a firewall this is the Actual VNC
155 server port. PORT might be a redir port on the firewall.
156
157 DisableSSL
158 yes/no, default: no
159 Do unencrypted connection, no SSL.
160
161 httpsPort
162 number, default: none
163 When checking for proxy, use this at the url port number.
164
165 CONNECT
166 string, default: none
167 Sets to host:port for the CONNECT line to a Web proxy.
168 The Web proxy should connect us to it.
169
170 GET
171 yes/no, default: no
172 Set to do a special HTTP GET (/request.https.vnc.connection)
173 to the vnc server that will cause it to switch to VNC instead.
174 This is to speedup/make more robust, the single port HTTPS and VNC
175 mode of x11vnc (e.g. both services thru port 5900, etc)
176
177 urlPrefix
178 string, default: none
179 set to a string that will be prefixed to all URL's when contacting
180 the VNC server. Idea is a special proxy will use this to indicate
181 internal hostname, etc.
182
183 oneTimeKey
184 string, default: none
185 set a special hex "key" to correspond to an SSL X.509 cert+key.
186 See the 'onetimekey' helper script. Can also be PROMPT to prompt
187 the user to paste the hex key string in.
188
189 This provides a Client-Side cert+key that the client will use to
190 authenticate itself by SSL To the VNC Server.
191
192 This is to try to work around the problem that the Java applet
193 cannot keep an SSL keystore on disk, etc. E.g. if they log
194 into an HTTPS website via password they are authenticated and
195 encrypted, then the website can safely put oneTimeKey=... on the
196 URL. The Vncviewer authenticates the VNC server with this key.
197
198 Note that there is currently a problem in that if x11vnc requires
199 Client Certificates the user cannot download the index.vnc HTML
200 and VncViewer.jar from the same x11vnc. Those need to come from
201 a different x11vnc or from a web server.
202
203 Note that the HTTPS website can also put the VNC Password
204 (e.g. a temporary/one-time one) in the parameter PASSWORD.
205 The Java Applet will automatically supply this VNC password
206 instead of prompting.
207
208 serverCert
209 string, default: none
210 set a special hex "cert" to correspond to an SSL X.509 cert
211 See the 'onetimekey -certonly' helper script.
212
213 This provides a Server-Side cert that the client will authenticate
214 the VNC Server against by SSL.
215
216 This is to try to work around the problem that the Java applet
217 cannot keep an SSL keystore on disk, etc. E.g. if they log
218 into an HTTPS website via password they are authenticated and
219 encrypted, then the website can safely put serverCert=... on the
220 URL.
221
222 Of course the VNC Server is sending this string to the Java
223 Applet, so this is only reasonable security if the VNC Viewer
224 already trusts the HTTPS retrieval of the URL + serverCert param
225 that it gets. This should be done over HTTPS not HTTP.
226
227 proxyHost
228 string, default: none
229 Do not try to guess the proxy's hostname, use the value in
230 proxyHost. Does not imply forceProxy (below.)
231
232 proxyPort
233 string, default: none
234 Do not try to guess the proxy's port number, use the value in
235 proxyPort. Does not imply forceProxy (below.)
236
237 forceProxy
238 yes/no, default: no
239 Assume there is a proxy and force its use.
240
241 If a string other than "yes" or "no" is given, it implies "yes"
242 and uses the string for proxyHost and proxyPort (see above).
243 In this case the string must be of the form "hostname+port".
244 Note that it is "+" and not ":" before the port number.
245
246 ignoreProxy
247 yes/no, default: no
248 Don't check for a proxy, assume there is none.
249
250 trustAllVncCerts
251 yes/no, default: no
252 Automatically trust any cert received from the VNC server
253 (obviously this could be dangerous and lead to man in the
254 middle attack). Do not ask the user to verify any of these
255 certs from the VNC server.
256
257 trustUrlVncCert
258 yes/no, default: no
259 Automatically trust any cert that the web browsers has accepted.
260 E.g. the user said "Yes" or "Continue" to a web browser dialog
261 regarding a certificate. If we get the same cert (chain) from
262 the VNC server we trust it without prompting the user.
263
264 debugCerts
265 yes/no, default: no
266 Print out every cert in the Server, TrustUrl, TrustAll chains.
267
268
269TightVNC Java viewer only:
270
271 Offer Relogin
272 yes/no, default: yes
273 "Offer Relogin" set to "No" disables "Login again"
274
275 SocketFactory
276 string, default: none
277 set Java Socket class factory.
278
279UltraVNC Java viewer only:
280
281 None.
282
283 The following are added by x11vnc and/or ssvnc project
284
285 ftpDropDown
286 string, default: none
287 Sets the file transfer "drives" dropdown to the "." separated
288 list. Use "+" for space. The default is
289
290 My+Documents.Desktop.Home
291
292 for 3 entries in the dropdown in addition to the "drives"
293 (e.g. C:\) These items should be expanded properly by the VNC
294 Server. x11vnc will prepend $HOME to them, which is normally
295 what one wants. To include a "/" use "_2F_". Another example:
296
297 Home.Desktop.bin_2F_linux
298
299 If an item is prefixed with "TOP_" then the item is inserted at
300 the top of the drop down rather than being appended to the end.
301 E.g. to try to initially load the user homedir instead of /:
302
303 TOP_Home.My+Documents.Desktop
304
305 If ftpDropDown is set to the empty string, "", then no special
306 locations, [Desktop] etc., are placed in the drop down. Only the
307 ultravnc "drives" will appear.
308
309 ftpOnly
310 yes/no, default: no
311 The VNC viewer only shows the filetransfer panel, no desktop
312 is displayed.
313
314 graftFtp
315 yes/no, default: no
316 As ftpOnly, the VNC viewer only shows the filetransfer panel,
317 no desktop is displayed, however it is "grafted" onto an existing
318 SSVNC unix vncviewer. The special SSVNC vncviewer merges the two
319 channels.
320
321 dsmActive
322 yes/no, default: no
323 Special usage mode with the SSVNC unix vncviewer. The UltraVNC
324 DSM encryption is active. Foolishly, UltraVNC DSM encryption
325 *MODIFIES* the VNC protocol when active (it is not a pure tunnel).
326 This option indicates to modify the VNC protocol to make this work.
327 Usually only used with graftFtp and SSVNC unix vncviewer.
328
329 delayAuthPanel
330 yes/no, default: no
331 This is another special usage mode with the SSVNC unix vncviewer.
332 A login panel is delayed (not shown at startup.) Could be useful
333 for non SSVNC usage too.
334
335 ignoreMSLogonCheck
336 yes/no, default: no
337 Similar to delayAuthPanel, do not put up a popup asking for
338 Windows username, etc.
339