I went ahead and implemented a new security configuration file directive (permitted-cipher-suites), as well as a new Java TurboVNC Viewer system property. To achieve what you want, assuming you're using OpenSSL 1.0.2 or later, you can add:
permitted-cipher-suites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 to /etc/turbovncserver-security.conf. That will prevent any ciphers other than the two you listed from being used on the server end, regardless of which ciphers are supported on the client end. It will also effectively disallow any of the TLS* security types, irrespective of the permitted-security-types directive (because anonymous TLS uses different ciphers.) As a belt-and-suspenders measure, you can also force the viewer to use only those ciphers by setting JAVA_TOOL_OPTIONS='-Dturbovnc.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' in the environment on the client machine. The Xvnc log file, as well as the debug output from the viewer (-loglevel 100) will reveal which ciphers are available and which cipher was negotiated between server and client. DRC On 7/12/19 2:25 PM, Andy wrote: > That would be awesome > > Thanks! > > On Friday, July 12, 2019 at 2:46:20 PM UTC-4, DRC wrote: > > I did some digging, and unfortunately there is no way to > enable/disable > OpenSSL ciphers on a system-wide or per-user basis. They have to be > configured on a per-application basis. I will investigate adding > a new > TurboVNC security configuration file property for this, as it > seems like > something that would be generally useful. > > On 7/12/19 10:03 AM, Andy wrote: > > Hey so I have some strict requirements on what encryption > ciphers we are > > allowed to use. > > > > Basically I need it to use > > either TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > > or TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384. > > > > From the viewer side I'm able to restrict the ciphers available > to it by > > modifying the java argument inside of the vncviewer script: > > and adding on the options > > -Djava.security.properties=/opt/test/java.security.restictive > > -Djavax.net.debug=ssl > > > > Now I get an SSL Handshake error when I try to connect - I think > its > > because Xvnc doesn't support the 2 ciphers that I'm trying to use. > > > > How would I go about enabling the two ciphers from the server > (Xvnc) > > side? I'd prefer to not have to recompile, but I'm not afraid to. > > > > > > Thanks! > > -- > You received this message because you are subscribed to the Google > Groups "TurboVNC User Discussion/Support" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/turbovnc-users/717ffd21-4778-4e1c-a6ef-b4fb50f2bf59%40googlegroups.com > <https://groups.google.com/d/msgid/turbovnc-users/717ffd21-4778-4e1c-a6ef-b4fb50f2bf59%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/c5c11916-b335-d7c2-8654-22b50bc4701c%40virtualgl.org. For more options, visit https://groups.google.com/d/optout.
