Is it necessary to restrict the ciphers on the server end, or would it be acceptable to simply enable ECDH ciphers in the server and restrict them on the client end?
The basic problem is that the TurboVNC Server's OpenSSL wrapper doesn't currently enable ECDH ciphers. Enabling those ciphers is an easy (probably one-liner) modification, but adding the Security Configuration file parameter to restrict the ciphers would be more difficult (in part because of the need to support both GnuTLS and OpenSSL.) DRC On 7/12/19 2:25 PM, Andy wrote: > That would be awesome > > Thanks! > > On Friday, July 12, 2019 at 2:46:20 PM UTC-4, DRC wrote: > > I did some digging, and unfortunately there is no way to enable/disable > OpenSSL ciphers on a system-wide or per-user basis. They have to be > configured on a per-application basis. I will investigate adding a new > TurboVNC security configuration file property for this, as it seems > like > something that would be generally useful. > > On 7/12/19 10:03 AM, Andy wrote: > > Hey so I have some strict requirements on what encryption ciphers > we are > > allowed to use. > > > > Basically I need it to use > > either TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > > or TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384. > > > > From the viewer side I'm able to restrict the ciphers available to > it by > > modifying the java argument inside of the vncviewer script: > > and adding on the options > > -Djava.security.properties=/opt/test/java.security.restictive > > -Djavax.net.debug=ssl > > > > Now I get an SSL Handshake error when I try to connect - I think its > > because Xvnc doesn't support the 2 ciphers that I'm trying to use. > > > > How would I go about enabling the two ciphers from the server (Xvnc) > > side? I'd prefer to not have to recompile, but I'm not afraid to. > > > > > > Thanks! -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/ecc7e6d6-373c-a37f-8e50-94e4cb01ec56%40virtualgl.org. For more options, visit https://groups.google.com/d/optout.
