Hello,
I’m facing an issue when connecting to a VNC server via *Guacamole Server
1.6.0*.
The connection fails during authentication after a TLS handshake.
Here's the relevant log snippet from guacd:
Client is using protocol version "VERSION_1_5_0"
VNC server supports protocol version 3.8 (viewer 3.8)
We have 2 security types to read
0) Received security type 19
Selecting security type 19
1) Received security type 2
Selected Security Scheme 19
Got VeNCrypt version 0.2 from server.
We have 2 security types to read
0) Received security type 258
1) Received security type 2
Selecting security type 258
GnuTLS version 3.8.3 initialized.
TLS session initialized.
TLS anonymous credential created.
TLS handshake done.
VNC connection failed: Authentication failure
Unable to connect to VNC server.
The *same VNC server setup works perfectly with Guacamole 1.5.3*.
Only after upgrading to *Guacamole 1.6.0*, I see the TLS anonymous
credential created log, and then authentication fails.
Logs from 1.5.3:
guacd[462157]: DEBUG:#011Client is using protocol version "VERSION_1_5_0"
VNC server supports protocol version 3.8 (viewer 3.8)
We have 2 security types to read
0) Received security type 19
Selecting security type 19 (0/2 in the list)
1) Received security type 2
Selected Security Scheme 19
Got VeNCrypt version 0.2 from server.
We have 2 security types to read
0) Received security type 258
1) Received security type 2
Selecting security type 258
TLS session initialized.
VNC authentication succeeded
Some observations:
-
The server offers VeNCrypt security types (type 19), and inside
VeNCrypt, it again offers type 258 and 2.
-
guacd selects 258 and proceeds with GnuTLS-based handshake.
-
However, it seems an *anonymous TLS session* is being negotiated instead
of authenticating properly, causing "Authentication failure"
* My Questions:*
-
1.
Why is TLS anonymous credential being selected/created here?
2.
Is there a setting on the VNC server side to restrict security types
or TLS negotiation behavior to avoid anonymous TLS?
3.
Was there any protocol handling change for VeNCrypt in Guacamole
1.6.0 that might affect this flow?
4.
How to make VncAuth as a preferred config?
Thanks,
Dilip
--
This communication (including any attachments) is intended for the sole
use of the intended recipient and may contain confidential, non-public,
and/or privileged material. Use, distribution, or reproduction of this
communication by unintended recipients is not authorized. If you received
this communication in error, please immediately notify the sender and then
delete all copies of this communication from your system.
