thanks for the clarification and detailed answer. :)
On Fri, May 17, 2013 at 8:25 PM, Patrice Levesque <[email protected]>wrote: > > > "hostname 10.x.x.13 does not match any certificate. do you want to > > continue?" doesn't it mean my security is weaker or it is just a > > warning of some kind which i can ignore? > > AFAIK the certificate sent by the VNC server is self-signed; your > tigervnc client will hence complain, as the certificate presented by the > server was not signed by a recognized authority. > > This doesn't make the encryption less effective, but the mechanism > doesn't validate you're actually connecting to the right machine¹. If > you're tunneling through SSH you can be confident your client talks to > the right server² and can safely ignore the warning. > > To get rid of the unmatching certificate warning, you have choices: > > - Override the self-signed certificates with your own certificates > (Info on http://comments.gmane.org/gmane.linux.pve.devel/464might > be useful as well as other search engines results); > > - Trust the CA stored in /etc/pve/pve-root-ca.pem and make sure > your > domain name matches (an option to tigervnc lets you specify a CA > certificate). > > > 1) And the tigervnc client interface — at least my 1.2.0 version — does > not show you anything about the certificate it receives, even in > extra-verbose mode, so you cannot manually verify the match. > > 2) Of course you *do* verify the SSH server fingerprint when you > connect? :) > > > > -- > --====|====-- > --------================|================-------- > Patrice Levesque > http://ptaff.ca/ > [email protected] > --------================|================-------- > --====|====-- > -- > > _______________________________________________ > pve-user mailing list > [email protected] > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user > >
_______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
