Re: Connect to VNC server with SSL

Sun, 28 Apr 2019 05:13:26 -0700 

On 2019-04-26 11:07, Idhren wrote:
> On the Ubuntu workstation:
>
> openssl ciphers -s | grep DHE
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
>
> Apr 26 10:58:32 guacamole guacd[27115]: 0) Received security type 19
> Apr 26 10:58:32 guacamole guacd[27115]: Unknown authentication scheme from 
> VNC server: 19
> Apr 26 10:58:32 guacamole guacd[27115]: Unable to connect to VNC server.
> Apr 26 10:58:32 guacamole guacd[27115]: User 
> "@d820419b-18c0-4c77-8ead-50eeb919a0b1" disconnected (0 users remain)
>
> And I tried another vncviewer (ssvnc). It retriver and save the cert and seem 
> to use ECDHE-RSA-AES256-GCM-SHA384 cipher.

First of all needless to say that Java does not use openssl libraries: it had 
all cyphers implemented natively in Java. For example, if you are running 
Java7, you have to enable TLS 1.1/1.2 using
|-Dhttps.protocols=TLSv1.1,TLSv1.2| <https://superuser.com/a/928498/28311> JVM 
system property. For Java8 (and later version) this is not necessary (it should 
work out of the box) however I usually
double check the list of ciphers against Java documentation
<https://docs.oracle.com/javase/10/security/oracle-providers.htm#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2__CIPHERSUITESSUPPORTEDBYSUNJSSE-29E460FE>.
 For example the cipher ECDHE-RSA-AES256-GCM-SHA384
(which has name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 in Java) that you've 
mentioned in supported by Java8 and removed in Java9 :) However I don't see the 
reason why Java8/9/10 should not be able to
talk to your VNC server as for example cipher 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 is supported by both Java and server.

General advise would be to enable TLS debugging in Java (-Djavax.net.debug=all 
<https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html>)
 and check the logs.

-- 
With best regards,
Dmitry

Reply via email to