STARTTLS for VNC encryption
dax "at" gurulabs.com
Fri Jun 21 07:46:02 2002
TLS is the successor to SSL. The beauty of STARTTLS protocol, is that it
uses the same TCP port and encryption is negotiated at connection
establishment. A VNC server could allow non-STARTTLS clients (eg, the
ones that exist right now) to connect as well as STARTTLS clients on the
I think that the addition of the STARTTLS protocol to VNC would offer a
significant improvement in the current security, especially in regards
to simplicity (versus the tunnel over SSL approach).
It appears that TridiaVNC Pro does this already. I think the free code
base should have it as well.
Code from OpenLDAP, which implements STARTTLS, could be examined or used
as an example.
Feature-wise, Xvnc should be able to:
- Optionally allow STARTTLS connections
- Optionally ONLY allow STARTTLS connections
- Define a minimum encryption strength (ala OpenLDAP's 'security
In order to keep things simple, CAs and PKI could be ignored entirely,
and simply do the whole "cache remote host public keys" like OpenSSH
The current recommendation for tunneling VNC over SSH rubs me as a big
ugly workaround. I have a VNC server setup where, connecting to the
machine via VNC displays a GDM/KDM/XDM login screen. Xvnc is launched
via Xinetd, and connects to the localhost display manager via XDMCP. In
this configuration, tunneling VNC over SSH is not possible.
I'm willing to work on coding support for STARTTLS, but was wondering if
anyone had already done this or had comments.