From d538e4e28148c967d00310f3eca1a648916b771e Mon Sep 17 00:00:00 2001 From: runge Date: Mon, 12 May 2008 01:04:40 +0000 Subject: [PATCH] x11vnc: SSL fixes. Increase cert lifetimes to 2 years. Print ssl err msg. --- x11vnc/README | 14 +++++++------- x11vnc/help.c | 4 ++-- x11vnc/selection.c | 2 -- x11vnc/sslhelper.c | 19 ++++++++++++++++++- x11vnc/ssltools.h | 13 ++++++++++--- x11vnc/x11vnc.1 | 6 +++--- x11vnc/x11vnc_defs.c | 2 +- 7 files changed, 41 insertions(+), 19 deletions(-) diff --git a/x11vnc/README b/x11vnc/README index 7756f0b..54929f8 100644 --- a/x11vnc/README +++ b/x11vnc/README @@ -1,5 +1,5 @@ -x11vnc README file Date: Wed May 7 20:58:51 EDT 2008 +x11vnc README file Date: Sat May 10 12:54:59 EDT 2008 The following information is taken from these URLs: @@ -10341,8 +10341,8 @@ blah,blah... brief, run something like "x11vnc -sslGenCert server self:apache" then copy the resulting self:apache.crt file to conf/ssl.crt/server.crt and extract the private key part from self:apache.pem and paste it into - conf/ssl.key/server.key). Setting the env var REQ_ARGS='-days 730' - before running x11vnc will bump up the expiration date (2 years in + conf/ssl.key/server.key). Setting the env var REQ_ARGS='-days 1095' + before running x11vnc will bump up the expiration date (3 years in this case). Or you can use the standard methods described in the [27]Apache @@ -12039,7 +12039,7 @@ x11vnc: a VNC server for real X displays Here are all of x11vnc command line options: % x11vnc -opts (see below for -help long descriptions) -x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-07 +x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-10 x11vnc options: -display disp -auth file -N @@ -12158,7 +12158,7 @@ libvncserver-tight-extension options: % x11vnc -help -x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-07 +x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-10 (type "x11vnc -opts" to just list the options.) @@ -13709,8 +13709,8 @@ e If you set the env. var REQ_ARGS='...' it will be passed to openssl req(1). A common use would be - REQ_ARGS='-days 730' to bump up the expiration date - (2 years in this case). + REQ_ARGS='-days 1095' to bump up the expiration date + (3 years in this case). -sslEncKey [pem] Utility to encrypt an existing PEM file with a passphrase you supply when prompted. For that key to be diff --git a/x11vnc/help.c b/x11vnc/help.c index e135d16..ba744ee 100644 --- a/x11vnc/help.c +++ b/x11vnc/help.c @@ -1575,8 +1575,8 @@ void print_help(int mode) { "\n" " If you set the env. var REQ_ARGS='...' it will be\n" " passed to openssl req(1). A common use would be\n" -" REQ_ARGS='-days 730' to bump up the expiration date\n" -" (2 years in this case).\n" +" REQ_ARGS='-days 1095' to bump up the expiration date\n" +" (3 years in this case).\n" "\n" "-sslEncKey [pem] Utility to encrypt an existing PEM file with a\n" " passphrase you supply when prompted. For that key to be\n" diff --git a/x11vnc/selection.c b/x11vnc/selection.c index 373253b..ea56a5a 100644 --- a/x11vnc/selection.c +++ b/x11vnc/selection.c @@ -133,8 +133,6 @@ void selection_request(XEvent *ev, char *type) { targets[0] = (Atom) xa_targets; targets[1] = (Atom) XA_STRING; - data = (unsigned char *)str; - ret = XChangeProperty(ev->xselectionrequest.display, ev->xselectionrequest.requestor, ev->xselectionrequest.property, diff --git a/x11vnc/sslhelper.c b/x11vnc/sslhelper.c index a7466b2..2739e5c 100644 --- a/x11vnc/sslhelper.c +++ b/x11vnc/sslhelper.c @@ -2130,8 +2130,16 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n"); return 0; } else if (rc < 0) { + unsigned long err; + int cnt = 0; - rfbLog("SSL: ssl_helper[%d]: SSL_accept() *FATAL: %d\n", getpid(), rc); + rfbLog("SSL: ssl_helper[%d]: SSL_accept() *FATAL: %d SSL FAILED\n", getpid(), rc); + while ((err = ERR_get_error()) != 0) { + rfbLog("SSL: %s\n", ERR_error_string(err, NULL)); + if (cnt++ > 100) { + break; + } + } return 0; } else if (dnow() > start + 3.0) { @@ -2174,9 +2182,18 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n"); } } else { rfbLog("SSL: ssl_helper[%d]: accepted client %s x509 cert is:\n", getpid(), name); +#if LIBVNCSERVER_HAVE_X509_PRINT_EX_FP X509_print_ex_fp(stderr, x, 0, XN_FLAG_MULTILINE); +#endif if (cr != NULL) { +#if LIBVNCSERVER_HAVE_X509_PRINT_EX_FP X509_print_ex_fp(cr, x, 0, XN_FLAG_MULTILINE); +#else + rfbLog("** not compiled with libssl X509_print_ex_fp() function **\n"); + if (users_list && strstr(users_list, "sslpeer=")) { + rfbLog("** -users sslpeer= will not work! **\n"); + } +#endif fclose(cr); } } diff --git a/x11vnc/ssltools.h b/x11vnc/ssltools.h index c056e97..c261af9 100644 --- a/x11vnc/ssltools.h +++ b/x11vnc/ssltools.h @@ -76,7 +76,7 @@ char genCA[] = "name_opt = ca_default # Subject Name options\n" "cert_opt = ca_default # Certificate field options\n" "\n" -"default_days = 365 # how long to certify for\n" +"default_days = 730 # how long to certify for\n" "default_crl_days= 30 # how long before next CRL\n" "default_md = md5 # which md to use.\n" "preserve = no # keep passed DN ordering\n" @@ -333,6 +333,13 @@ char genCert[] = " echo \"Creating new x11vnc certificate and key for name: $type $name0\"\n" " echo \"\"\n" "\n" +" req_args=$REQ_ARGS\n" +" if echo \"$req_args\" | grep 'days' > /dev/null; then\n" +" :\n" +" else\n" +" req_args=\"$req_args -days 730\"\n" +" fi\n" +"\n" " cnf=\"$DIR/tmp/cnf.$$\"\n" " trap \"rm -f \\\"$cnf\\\"\" 0 1 2 15\n" "\n" @@ -343,7 +350,7 @@ char genCert[] = " direrror \"$DIR/CA/self.cnf.$type\"\n" " fi\n" " cat \"$DIR/CA/self.cnf.$type\" | sed -e \"s/%NAME/$name0/\" > \"$cnf\" || exit 1\n" -" \"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 -x509 $REQ_ARGS \\\n" +" \"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 -x509 $req_args \\\n" " -keyout \"$DIR/$dest.key\" \\\n" " -out \"$DIR/$dest.crt\"\n" " else\n" @@ -351,7 +358,7 @@ char genCert[] = " direrror \"$DIR/CA/ssl.cnf.$type\"\n" " fi\n" " cat \"$DIR/CA/ssl.cnf.$type\" | sed -e \"s/%NAME/$name0/\" > \"$cnf\" || exit 1\n" -" \"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 $REQ_ARGS \\\n" +" \"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 $req_args \\\n" " -keyout \"$DIR/$dest.key\" \\\n" " -out \"$DIR/$dest.req\"\n" " fi\n" diff --git a/x11vnc/x11vnc.1 b/x11vnc/x11vnc.1 index 0b571cb..71f679e 100644 --- a/x11vnc/x11vnc.1 +++ b/x11vnc/x11vnc.1 @@ -2,7 +2,7 @@ .TH X11VNC "1" "May 2008" "x11vnc " "User Commands" .SH NAME x11vnc - allow VNC connections to real X11 displays - version: 0.9.4, lastmod: 2008-05-07 + version: 0.9.4, lastmod: 2008-05-10 .SH SYNOPSIS .B x11vnc [OPTION]... @@ -1787,8 +1787,8 @@ If you set the env. var REQ_ARGS='...' it will be passed to openssl .IR req (1). A common use would be -REQ_ARGS='-days 730' to bump up the expiration date -(2 years in this case). +REQ_ARGS='-days 1095' to bump up the expiration date +(3 years in this case). .PP \fB-sslEncKey\fR \fI[pem]\fR .IP diff --git a/x11vnc/x11vnc_defs.c b/x11vnc/x11vnc_defs.c index 0bd42d9..fd8798b 100644 --- a/x11vnc/x11vnc_defs.c +++ b/x11vnc/x11vnc_defs.c @@ -15,7 +15,7 @@ int xtrap_base_event_type = 0; int xdamage_base_event_type = 0; /* date +'lastmod: %Y-%m-%d' */ -char lastmod[] = "0.9.4 lastmod: 2008-05-07"; +char lastmod[] = "0.9.4 lastmod: 2008-05-10"; /* X display info */