无法使用SSL

时间:2018-07-16 11:04:51

标签: ssl openssl vnc vnc-server tightvnc

我已经下载了增强型紧VNC查看器(http://www.karlrunge.com/x11vnc/ssvnc.html),并按照说明将本地计算机(运行Win 7)上的查看器连接到另一台运行x11vnc服务器的计算机上。

远程计算机正在运行ubuntu 16.04,并安装了x11vnc服务器(v0.9.13)。我可以不使用ssl选项连接到它,但是当我使用SSL时失败。

遵循的步骤

This dialog helps you to create a simple Self-Signed SSL certificate.  

    On Unix the openssl(1) program must be installed and in $PATH.
    On Windows, a copy of the openssl program is provided for convenience.

    The resulting certificate files can be used for either:

       1) authenticating yourself (VNC Viewer) to a VNC Server
    or 2) your verifying the identity of a remote VNC Server.

    In either case you will need to safely copy one of the generated key or
    certificate files to the remote VNC Server and have the VNC Server use
    it.  Or you could send it to the system administrator of the VNC Server.

    For the purpose of description, assume that the filename selected in the
    "Save to file" entry is "vnccert.pem".  That file will be generated
    by this process and so will the "vnccert.crt" file.  "vnccert.pem"
    contains both the Private Key and the Public Certificate.  "vnccert.crt"
    only contains the Public Certificate.

    For case 1) you would copy "vnccert.crt" to the VNC Server side and 
    instruct the server to use it.  For x11vnc it would be for example:

        x11vnc -sslverify /path/to/vnccert.crt -ssl SAVE ...

    (it is also possible to handle many client certs at once in a directory,
    see the -sslverify documentation).  Then you would use "vnccert.pem"
    as the MyCert entry in the SSL Certificates dialog.

    For case 2) you would copy "vnccert.pem" to the VNC Server side and 
    instruct the server to use it.  For x11vnc it would be for example:

        x11vnc -ssl /path/to/vnccert.pem

    Then you would use "vnccert.crt" as the as the ServerCert entry in the
    "SSL Certificates" dialog.


    Creating the Certificate:

    Choose a output filename (ending in .pem) in the "Save to file" entry.

    Then fill in the identification information (Country, State or Province,
    etc).

    The click on "Create" to generate the certificate files.

    Encrypting the Private Key:  It is a very good idea to encrypt the
    Private Key that goes in the "vnccert.pem".  The downside is that
    whenever that key is used (e.g. starting up x11vnc using it) then
    the passphrase will need to be created.  If you do not encrypt it and
    somebody steals a copy of the "vnccert.pem" file then they can pretend
    to be you.

    After you have created the certificate files, you must copy and import
    either "vnccert.pem" or "vnccert.pem" to the remote VNC Server and
    also select the other file in the "SSL Certificates" dialog.
    See the description above.

    For more information see:

           http://www.karlrunge.com/x11vnc/ssl.html
           http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-int

    The first one describes how to use x11vnc to create Certificate
    Authority (CA) certificates in addition to Self-Signed ones.


    Tip: if you choose the "Common Name" to be the internet hostname
    (e.g. gateway.mydomain.com) that connections will be made to or
    from that will avoid many dialogs when connecting mentioning that
    the hostname does not match the Common Name.

因此,我遵循了选项1的步骤,即,向VNC服务器验证VNC查看器。

使用命令启动服务器

  • x11vnc -display:0 -sslverify〜/ vnccert2.crt -ssl保存

客户端:

  • 提供了在客户端系统中生成的pem文件的路径到
    MyCert字段中的查看器(vnccert2.pem文件)

  • 单击“连接并选择使用使用SSL的选项”

将从远程服务器收到的证书保存到“接受的证书”目录中

服务器上的日志如下

16/07/2018 16:28:34 SSL: accept_openssl(OPENSSL_VNC)
16/07/2018 16:28:34 SSL: spawning helper process to handle: 10.221.49.127:56668
16/07/2018 16:28:34 SSL: helper for peerport 56668 is pid 17094:
16/07/2018 16:28:34 connect_tcp: trying:   127.0.0.1 20000
16/07/2018 16:28:34 check_vnc_tls_mode: waited: 0.000008 / 1.40 input: SSL Handshake
16/07/2018 16:28:34 SSL: ssl_init[17094]: 12/12 initialization timeout: 20 secs.
16/07/2018 16:28:34 SSL: ssl_helper[17094]: SSL_accept() *FATAL: -1 SSL FAILED
16/07/2018 16:28:34 SSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
16/07/2018 16:28:34 SSL: ssl_helper[17094]: Proto: TLSv1
16/07/2018 16:28:34 SSL: ssl_helper[17094]: exit case 2 (ssl_init failed)
16/07/2018 16:28:34 SSL: accept_openssl: cookie from ssl_helper[17094] FAILED. 0
16/07/2018 16:28:39 SSL: accept_openssl(OPENSSL_VNC)
16/07/2018 16:28:39 SSL: spawning helper process to handle: 10.221.49.127:56670
16/07/2018 16:28:39 SSL: helper for peerport 56670 is pid 17095:
16/07/2018 16:28:39 connect_tcp: trying:   127.0.0.1 20000
16/07/2018 16:28:39 check_vnc_tls_mode: waited: 0.000013 / 1.40 input: SSL Handshake
16/07/2018 16:28:39 SSL: ssl_init[17095]: 12/12 initialization timeout: 20 secs.
16/07/2018 16:28:39 SSL: ssl_helper[17095]: SSL_accept() *FATAL: -1 SSL FAILED
16/07/2018 16:28:39 SSL: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
16/07/2018 16:28:39 SSL: ssl_helper[17095]: Proto: nosession
16/07/2018 16:28:39 SSL: ssl_helper[17095]: exit case 2 (ssl_init failed)
16/07/2018 16:28:39 SSL: accept_openssl: cookie from ssl_helper[17095] FAILED. 0

我不确定我哪里出错了,因为客户端证书存在,但服务器仍然抛出该消息 “ ssl3_get_client_certificate:peer没有返回证书” ,此后它还会引发另一个错误“ ssl3_get_client_hello:错误的版本号”

1 个答案:

答案 0 :(得分:0)

您是否已检查两次尝试使用的端口? SSL连接可能需要其他端口。

此外,我在ServerFault网站上找到了这篇文章。接受的响应为:

  

Stunnel服务器具有= NO_SSLv3的选项,但是客户端正试图   使用SSLv3连接。您需要升级客户端以支持更新的客户端   版本的SSL或您需要将stunnel配置更改为   接受SSLv3。

相关问题
最新问题