Wow! Thanks for the quick fix! I take all I need to try it out is to pull and build the latest turbovnc and it should work?
Thanks again! On Saturday, July 13, 2019 at 1:37:31 AM UTC-4, DRC wrote: > > I went ahead and implemented a new security configuration file directive > (permitted-cipher-suites), as well as a new Java TurboVNC Viewer system > property. To achieve what you want, assuming you're using OpenSSL 1.0.2 or > later, you can add: > > permitted-cipher-suites = > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > > to /etc/turbovncserver-security.conf. That will prevent any ciphers other > than the two you listed from being used on the server end, regardless of > which ciphers are supported on the client end. It will also effectively > disallow any of the TLS* security types, irrespective of the > permitted-security-types directive (because anonymous TLS uses different > ciphers.) > > As a belt-and-suspenders measure, you can also force the viewer to use > only those ciphers by setting > > > JAVA_TOOL_OPTIONS='-Dturbovnc.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' > > in the environment on the client machine. > > The Xvnc log file, as well as the debug output from the viewer (-loglevel > 100) will reveal which ciphers are available and which cipher was > negotiated between server and client. > > DRC > On 7/12/19 2:25 PM, Andy wrote: > > That would be awesome > > Thanks! > > On Friday, July 12, 2019 at 2:46:20 PM UTC-4, DRC wrote: >> >> I did some digging, and unfortunately there is no way to enable/disable >> OpenSSL ciphers on a system-wide or per-user basis. They have to be >> configured on a per-application basis. I will investigate adding a new >> TurboVNC security configuration file property for this, as it seems like >> something that would be generally useful. >> >> On 7/12/19 10:03 AM, Andy wrote: >> > Hey so I have some strict requirements on what encryption ciphers we >> are >> > allowed to use. >> > >> > Basically I need it to use >> > either TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >> > or TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384. >> > >> > From the viewer side I'm able to restrict the ciphers available to it >> by >> > modifying the java argument inside of the vncviewer script: >> > and adding on the options >> > -Djava.security.properties=/opt/test/java.security.restictive >> > -Djavax.net.debug=ssl >> > >> > Now I get an SSL Handshake error when I try to connect - I think its >> > because Xvnc doesn't support the 2 ciphers that I'm trying to use. >> > >> > How would I go about enabling the two ciphers from the server (Xvnc) >> > side? I'd prefer to not have to recompile, but I'm not afraid to. >> > >> > >> > Thanks! >> > -- > You received this message because you are subscribed to the Google Groups > "TurboVNC User Discussion/Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/turbovnc-users/717ffd21-4778-4e1c-a6ef-b4fb50f2bf59%40googlegroups.com > > <https://groups.google.com/d/msgid/turbovnc-users/717ffd21-4778-4e1c-a6ef-b4fb50f2bf59%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/c82c784a-0fef-4f60-b6a6-dc281532dbee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
