TLS is the successor to SSL. The beauty of STARTTLS protocol, is that it uses the same TCP port and encryption is negotiated at connection establishment. A VNC server could allow non-STARTTLS clients (eg, the ones that exist right now) to connect as well as STARTTLS clients on the same port.
I think that the addition of the STARTTLS protocol to VNC would offer a significant improvement in the current security, especially in regards to simplicity (versus the tunnel over SSL approach). It appears that TridiaVNC Pro does this already. I think the free code base should have it as well. Code from OpenLDAP, which implements STARTTLS, could be examined or used as an example. Feature-wise, Xvnc should be able to: - Optionally allow STARTTLS connections - Optionally ONLY allow STARTTLS connections - Define a minimum encryption strength (ala OpenLDAP's 'security ssf=128') In order to keep things simple, CAs and PKI could be ignored entirely, and simply do the whole "cache remote host public keys" like OpenSSH does. The current recommendation for tunneling VNC over SSH rubs me as a big ugly workaround. I have a VNC server setup where, connecting to the machine via VNC displays a GDM/KDM/XDM login screen. Xvnc is launched via Xinetd, and connects to the localhost display manager via XDMCP. In this configuration, tunneling VNC over SSH is not possible. I'm willing to work on coding support for STARTTLS, but was wondering if anyone had already done this or had comments. Dax Kelson Guru Labs _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
