[krdc] [Bug 391645] New: Latest KRDC does not support TLSv1.2 over VNC

Dan Fri, 09 Mar 2018 18:51:08 -0800

https://bugs.kde.org/show_bug.cgi?id=391645


            Bug ID: 391645
           Summary: Latest KRDC does not support TLSv1.2 over VNC
           Product: krdc
           Version: 17.12
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: VNC
          Assignee: uwol...@kde.org
          Reporter: dan...@mail.com
  Target Milestone: ---

I get the following error when connecting from KRDC to a VNC server running
x11vnc version 0.9.15:

09/03/2018 21:34:14 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:34:14 SSL: spawning helper process to handle: 192.168.1.2:37090
09/03/2018 21:34:14 SSL: helper for peerport 37090 is pid 21700: 
09/03/2018 21:34:14 connect_tcp: trying:   127.0.0.1 20000
09/03/2018 21:34:16 check_vnc_tls_mode: waited: 1.411325 / 1.40 input: (future)
RFB Handshake
09/03/2018 21:34:16 check_vnc_tls_mode: version: 3.8
09/03/2018 21:34:16 check_vnc_tls_mode: reply: 19 (VeNCrypt)
09/03/2018 21:34:16 vencrypt: received 0.2 client version.
09/03/2018 21:34:16 vencrypt: client selected sub-type: 258 (rfbVencryptTlsVnc)
09/03/2018 21:34:16 Using Anonymous Diffie-Hellman mode.
09/03/2018 21:34:16 WARNING: Anonymous Diffie-Hellman uses encryption but is
09/03/2018 21:34:16 WARNING: susceptible to a Man-In-The-Middle attack.
09/03/2018 21:34:16 loaded Diffie Hellman 1024 bits, 0.000s
09/03/2018 21:34:16 SSL: ssl_init[21700]: 10/10 initialization timeout: 20
secs.
09/03/2018 21:34:16 SSL: ssl_helper[21700]: SSL_accept() *FATAL: -1 SSL FAILED
09/03/2018 21:34:16 SSL: error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher
09/03/2018 21:34:16 SSL: ssl_helper[21700]: Proto: unknown
09/03/2018 21:34:16 SSL: ssl_helper[21700]: exit case 2 (ssl_init failed)
09/03/2018 21:34:16 SSL: accept_openssl: cookie from ssl_helper[21700] FAILED.
0



If I downgrade x11vnc to 0.9.13, it connects successfully over TLSv1:

09/03/2018 21:33:01 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:33:01 accept_openssl: using socketpair: 12 13
09/03/2018 21:33:01 SSL: spawning helper process to handle: 192.168.1.2:37088
09/03/2018 21:33:01 SSL: helper for peerport 37088 is pid 20674: 
09/03/2018 21:33:02 check_vnc_tls_mode: waited: 1.411589 / 1.40 input: (future)
RFB Handshake
09/03/2018 21:33:02 check_vnc_tls_mode: version: 3.8
09/03/2018 21:33:02 check_vnc_tls_mode: reply: 19 (VeNCrypt)
09/03/2018 21:33:02 vencrypt: received 0.2 client version.
09/03/2018 21:33:02 vencrypt: client selected sub-type: 258 (rfbVencryptTlsVnc)
09/03/2018 21:33:02 Using Anonymous Diffie-Hellman mode.
09/03/2018 21:33:02 WARNING: Anonymous Diffie-Hellman uses encryption but is
09/03/2018 21:33:02 WARNING: susceptible to a Man-In-The-Middle attack.
09/03/2018 21:33:02 loaded Diffie Hellman 1024 bits, 0.000s
09/03/2018 21:33:02 SSL: ssl_init[20674]: 11/11 initialization timeout: 20
secs.
09/03/2018 21:33:03 SSL: ssl_helper[20674]: SSL_accept() succeeded for:
192.168.1.2:37088
09/03/2018 21:33:03 SSL: ssl_helper[20674]: Cipher: TLSv1/SSLv3
ADH-AES256-GCM-SHA384 Proto: unknown
09/03/2018 21:33:03 SSL: ssl_helper[20674]: accepted client 192.168.1.2 x509
peer cert is null
09/03/2018 21:33:03 SSL: VENCRYPT mode=258 accepted. helper[20674]
09/03/2018 21:33:03 SSL: handshake with helper process[20674] succeeded.



The problem only occurs with KRDC. Here's gvncviewer connecting to version
0.9.15 (it connects successfully over TLSv1.2):

09/03/2018 21:36:29 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:36:29 SSL: spawning helper process to handle: 192.168.1.2:37104
09/03/2018 21:36:29 SSL: helper for peerport 37104 is pid 23614: 
09/03/2018 21:36:29 connect_tcp: trying:   127.0.0.1 20000
09/03/2018 21:36:30 check_vnc_tls_mode: waited: 1.410971 / 1.40 input: (future)
RFB Handshake
09/03/2018 21:36:30 check_vnc_tls_mode: version: 3.8
09/03/2018 21:36:30 check_vnc_tls_mode: reply: 19 (VeNCrypt)
09/03/2018 21:36:30 vencrypt: received 0.2 client version.
09/03/2018 21:36:31 vencrypt: client selected sub-type: 261
(rfbVencryptX509Vnc)
09/03/2018 21:36:31 SSL: ssl_init[23614]: 10/10 initialization timeout: 20
secs.
09/03/2018 21:36:31 SSL: ssl_helper[23614]: SSL_accept() succeeded for:
192.168.1.2:37104
09/03/2018 21:36:31 SSL: ssl_helper[23614]: Cipher: TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 Proto: unknown
09/03/2018 21:36:31 SSL: ssl_helper[23614]: accepted client 192.168.1.2 x509
peer cert is null
09/03/2018 21:36:31 SSL: VENCRYPT mode=261 accepted. helper[23614]
09/03/2018 21:36:31 SSL: handshake with helper process[23614] succeeded.



And s_client connects fine to 0.9.15 as well:

09/03/2018 21:34:49 SSL: accept_openssl(OPENSSL_VNC)
09/03/2018 21:34:49 SSL: spawning helper process to handle: 192.168.1.2:37094
09/03/2018 21:34:49 SSL: helper for peerport 37094 is pid 22159: 
09/03/2018 21:34:49 connect_tcp: trying:   127.0.0.1 20000
09/03/2018 21:34:49 check_vnc_tls_mode: waited: 0.000019 / 1.40 input: SSL
Handshake
09/03/2018 21:34:49 SSL: ssl_init[22159]: 10/10 initialization timeout: 20
secs.
09/03/2018 21:34:49 SSL: ssl_helper[22159]: SSL_accept() succeeded for:
192.168.1.2:37094
09/03/2018 21:34:49 SSL: ssl_helper[22159]: Cipher: TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 Proto: unknown
09/03/2018 21:34:49 SSL: ssl_helper[22159]: accepted client 192.168.1.2 x509
peer cert is null
09/03/2018 21:34:49 SSL: handshake with helper process[22159] succeeded.


It appears x11vnc removed support for TLSv1 in version 0.9.14. I am using KRDC
version 17.12.3 through the Arch Linux repositories.

-- 
You are receiving this mail because:
You are watching all bug changes.

[krdc] [Bug 391645] New: Latest KRDC does not support TLSv1.2 over VNC

Reply via email to