Thank you for such a quick response.
> To be clear, support is implemented, already. Perhaps I misunderstood? There are -C [Certificate] and -K [Key] startup options for guacd, which enables "data sent via the Guacamole protocol [to] be encrypted with SSL". I assumed this encryption was only between the client and guacd. Is it also between guacd and the VNC server? If the VNC server presents a cert, will guacamole's protocol accept it? Otherwise, the kubernetes protocol.c has settings for certs, but the VNC protocol doesn't have them in master. Search · org:apache x509 guacamole (github.com) <https://github.com/search?q=org%3Aapache+x509+guacamole&type=commits> My selfish purpose would not need a certificate or keypair locally on the browser/client - x509 could just be "always on". On Thu, Mar 4, 2021 at 9:33 PM Nick Couchman <[email protected]> wrote: > On Thu, Mar 4, 2021 at 19:54 Dave Neeley <[email protected]> wrote: > >> There was a pull request two years ago that would have added support for >> the x509Vnc protocol in guacd. There was some discussion about storing the >> certificates on disk on the guacd server rather than in-memory, and the >> code was pulled. >> >> GUACAMOLE-514: Implement additional VNC authentication support by >> necouchman · Pull Request #232 · apache/guacamole-server (github.com) >> <https://github.com/apache/guacamole-server/pull/232/commits/51ae8a41a138ff7a2a5b7e81b9647b7cd49ebdab> >> >> > Oops, looks like I missed some documentation for those parameters... > > I would have assumed the certificates most definitely had to be stored on >> disk _somewhere_, is that not correct? Say the guacamole web client was >> running in one docker container, and guacd was running in a second >> container. How would certificates be passed in-memory between these two? >> > > Yes, the parameters referenced in the pull request would, most likely, > point to the location of a file, accessible by guacd, that contains the > certificate, key, CA, and crl data, respectively. So, even though the > parameters are configured client-side, the client itself (both browser and > client container for the Java code) need not have any access to or > knowledge of the contents of the files. > > >> Has anyone found a way to implement x509Vnc support? >> > > To be clear, support is implemented, already. Whether it works > consistently or not, or behaves as you expect it to, is another story. For > example, if you’re looking for an implementation where the user can have a > certificate and key pair locally available to their browser that then gets > passed through transparently to guacd to use for the VNC connection, that > definitely will not work as currently implemented, and would take some > (significant) additional work to make happen. > > -Nick >
