> "hostname 10.x.x.13 does not match any certificate. do you want to > continue?" doesn't it mean my security is weaker or it is just a > warning of some kind which i can ignore?
AFAIK the certificate sent by the VNC server is self-signed; your
tigervnc client will hence complain, as the certificate presented by the
server was not signed by a recognized authority.
This doesn't make the encryption less effective, but the mechanism
doesn't validate you're actually connecting to the right machine¹. If
you're tunneling through SSH you can be confident your client talks to
the right server² and can safely ignore the warning.
To get rid of the unmatching certificate warning, you have choices:
- Override the self-signed certificates with your own certificates
(Info on http://comments.gmane.org/gmane.linux.pve.devel/464 might
be useful as well as other search engines results);
- Trust the CA stored in /etc/pve/pve-root-ca.pem and make sure your
domain name matches (an option to tigervnc lets you specify a CA
certificate).
1) And the tigervnc client interface — at least my 1.2.0 version — does
not show you anything about the certificate it receives, even in
extra-verbose mode, so you cannot manually verify the match.
2) Of course you *do* verify the SSH server fingerprint when you
connect? :)
--
--====|====--
--------================|================--------
Patrice Levesque
http://ptaff.ca/
[email protected]
--------================|================--------
--====|====--
--
signature.asc
Description: Digital signature
_______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
