Bug 391645 - Latest KRDC does not support TLSv1.2 over VNC
Summary: Latest KRDC does not support TLSv1.2 over VNC
Status: REPORTED
Alias: None
Product: krdc
Classification: Applications
Component: VNC (other bugs)
Version First Reported In: 17.12
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Urs Wolfer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-10 02:50 UTC by Dan
Modified: 2019-01-30 16:19 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Dan 2018-03-10 02:50:42 UTC 
I get the following error when connecting from KRDC to a VNC server running x11vnc version 0.9.15:

09/03/2018 21:34:14 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:34:14 SSL: spawning helper process to handle: 192.168.1.2:37090
09/03/2018 21:34:14 SSL: helper for peerport 37090 is pid 21700: 
09/03/2018 21:34:14 connect_tcp: trying:   127.0.0.1 20000
09/03/2018 21:34:16 check_vnc_tls_mode: waited: 1.411325 / 1.40 input: (future) RFB Handshake
09/03/2018 21:34:16 check_vnc_tls_mode: version: 3.8
09/03/2018 21:34:16 check_vnc_tls_mode: reply: 19 (VeNCrypt)
09/03/2018 21:34:16 vencrypt: received 0.2 client version.
09/03/2018 21:34:16 vencrypt: client selected sub-type: 258 (rfbVencryptTlsVnc)
09/03/2018 21:34:16 Using Anonymous Diffie-Hellman mode.
09/03/2018 21:34:16 WARNING: Anonymous Diffie-Hellman uses encryption but is
09/03/2018 21:34:16 WARNING: susceptible to a Man-In-The-Middle attack.
09/03/2018 21:34:16 loaded Diffie Hellman 1024 bits, 0.000s
09/03/2018 21:34:16 SSL: ssl_init[21700]: 10/10 initialization timeout: 20 secs.
09/03/2018 21:34:16 SSL: ssl_helper[21700]: SSL_accept() *FATAL: -1 SSL FAILED
09/03/2018 21:34:16 SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
09/03/2018 21:34:16 SSL: ssl_helper[21700]: Proto: unknown
09/03/2018 21:34:16 SSL: ssl_helper[21700]: exit case 2 (ssl_init failed)
09/03/2018 21:34:16 SSL: accept_openssl: cookie from ssl_helper[21700] FAILED. 0



If I downgrade x11vnc to 0.9.13, it connects successfully over TLSv1:

09/03/2018 21:33:01 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:33:01 accept_openssl: using socketpair: 12 13
09/03/2018 21:33:01 SSL: spawning helper process to handle: 192.168.1.2:37088
09/03/2018 21:33:01 SSL: helper for peerport 37088 is pid 20674: 
09/03/2018 21:33:02 check_vnc_tls_mode: waited: 1.411589 / 1.40 input: (future) RFB Handshake
09/03/2018 21:33:02 check_vnc_tls_mode: version: 3.8
09/03/2018 21:33:02 check_vnc_tls_mode: reply: 19 (VeNCrypt)
09/03/2018 21:33:02 vencrypt: received 0.2 client version.
09/03/2018 21:33:02 vencrypt: client selected sub-type: 258 (rfbVencryptTlsVnc)
09/03/2018 21:33:02 Using Anonymous Diffie-Hellman mode.
09/03/2018 21:33:02 WARNING: Anonymous Diffie-Hellman uses encryption but is
09/03/2018 21:33:02 WARNING: susceptible to a Man-In-The-Middle attack.
09/03/2018 21:33:02 loaded Diffie Hellman 1024 bits, 0.000s
09/03/2018 21:33:02 SSL: ssl_init[20674]: 11/11 initialization timeout: 20 secs.
09/03/2018 21:33:03 SSL: ssl_helper[20674]: SSL_accept() succeeded for: 192.168.1.2:37088
09/03/2018 21:33:03 SSL: ssl_helper[20674]: Cipher: TLSv1/SSLv3 ADH-AES256-GCM-SHA384 Proto: unknown
09/03/2018 21:33:03 SSL: ssl_helper[20674]: accepted client 192.168.1.2 x509 peer cert is null
09/03/2018 21:33:03 SSL: VENCRYPT mode=258 accepted. helper[20674]
09/03/2018 21:33:03 SSL: handshake with helper process[20674] succeeded.



The problem only occurs with KRDC. Here's gvncviewer connecting to version 0.9.15 (it connects successfully over TLSv1.2):

09/03/2018 21:36:29 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:36:29 SSL: spawning helper process to handle: 192.168.1.2:37104
09/03/2018 21:36:29 SSL: helper for peerport 37104 is pid 23614: 
09/03/2018 21:36:29 connect_tcp: trying:   127.0.0.1 20000
09/03/2018 21:36:30 check_vnc_tls_mode: waited: 1.410971 / 1.40 input: (future) RFB Handshake
09/03/2018 21:36:30 check_vnc_tls_mode: version: 3.8
09/03/2018 21:36:30 check_vnc_tls_mode: reply: 19 (VeNCrypt)
09/03/2018 21:36:30 vencrypt: received 0.2 client version.
09/03/2018 21:36:31 vencrypt: client selected sub-type: 261 (rfbVencryptX509Vnc)
09/03/2018 21:36:31 SSL: ssl_init[23614]: 10/10 initialization timeout: 20 secs.
09/03/2018 21:36:31 SSL: ssl_helper[23614]: SSL_accept() succeeded for: 192.168.1.2:37104
09/03/2018 21:36:31 SSL: ssl_helper[23614]: Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 Proto: unknown
09/03/2018 21:36:31 SSL: ssl_helper[23614]: accepted client 192.168.1.2 x509 peer cert is null
09/03/2018 21:36:31 SSL: VENCRYPT mode=261 accepted. helper[23614]
09/03/2018 21:36:31 SSL: handshake with helper process[23614] succeeded.



And s_client connects fine to 0.9.15 as well:

09/03/2018 21:34:49 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:34:49 SSL: spawning helper process to handle: 192.168.1.2:37094
09/03/2018 21:34:49 SSL: helper for peerport 37094 is pid 22159: 
09/03/2018 21:34:49 connect_tcp: trying:   127.0.0.1 20000
09/03/2018 21:34:49 check_vnc_tls_mode: waited: 0.000019 / 1.40 input: SSL Handshake
09/03/2018 21:34:49 SSL: ssl_init[22159]: 10/10 initialization timeout: 20 secs.
09/03/2018 21:34:49 SSL: ssl_helper[22159]: SSL_accept() succeeded for: 192.168.1.2:37094
09/03/2018 21:34:49 SSL: ssl_helper[22159]: Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 Proto: unknown
09/03/2018 21:34:49 SSL: ssl_helper[22159]: accepted client 192.168.1.2 x509 peer cert is null
09/03/2018 21:34:49 SSL: handshake with helper process[22159] succeeded.


It appears x11vnc removed support for TLSv1 in version 0.9.14. I am using KRDC version 17.12.3 through the Arch Linux repositories.
Comment 1 Thorsten Oppels 2018-05-04 10:12:30 UTC 
I tray to connect to an SLES12 via KRDC, but get the message: "VNC-Authentifizierungstyp wird nicht unterstützt."

When start KRDC via cli I see the lines:

> krdc 
KRDC: 808 635
KRDC: 800 600
KRDC: credential request failed, unspported credentialType: 1
KRDC: "VNC-Authentifizierungstyp wird nicht unterstützt."
KRDC: about to quit
KRDC: rfbInitClient failed
KRDC: Quit VNC thread success: true
Comment 2 Dan 2019-01-30 16:19:59 UTC 
This issue is still present. Here's a log from KRDC 18.12.1 and x11vnc 0.9.16:


30/01/2019 11:13:31 SSL: accept_openssl(OPENSSL_VNC)
30/01/2019 11:13:31 SSL: spawning helper process to handle: 10.4.1.2:54308
30/01/2019 11:13:31 SSL: helper for peerport 54308 is pid 24211: 
30/01/2019 11:13:31 connect_tcp: trying:   127.0.0.1 20000
30/01/2019 11:13:33 check_vnc_tls_mode: waited: 1.412067 / 1.40 input: (future) RFB Handshake
30/01/2019 11:13:33 check_vnc_tls_mode: version: 3.8
30/01/2019 11:13:33 check_vnc_tls_mode: reply: 19 (VeNCrypt)
30/01/2019 11:13:33 vencrypt: received 0.2 client version.
30/01/2019 11:13:33 vencrypt: client selected sub-type: 258 (rfbVencryptTlsVnc)
30/01/2019 11:13:33 Using Anonymous Diffie-Hellman mode.
30/01/2019 11:13:33 WARNING: Anonymous Diffie-Hellman uses encryption but is
30/01/2019 11:13:33 WARNING: susceptible to a Man-In-The-Middle attack.
30/01/2019 11:13:33 loaded Diffie Hellman 1024 bits, 0.000s
30/01/2019 11:13:33 SSL: ssl_init[24211]: 10/10 initialization timeout: 20 secs.
30/01/2019 11:13:33 SSL: ssl_helper[24211]: SSL_accept() *FATAL: -1 SSL FAILED
30/01/2019 11:13:33 SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
30/01/2019 11:13:33 SSL: ssl_helper[24211]: Proto: unknown
30/01/2019 11:13:33 SSL: ssl_helper[24211]: exit case 2 (ssl_init failed)
30/01/2019 11:13:33 SSL: accept_openssl: cookie from ssl_helper[24211] FAILED. 0


The connection works fine with x11vnc 0.9.13 which supports TLSv1.0.