"Stacy D. Coil" wrote:
>
> I saw that there were patches to the vnc server (a long time ago) that
> enabled ssl encryption. Does that still work?
>
> What I envision is being able to access a vnc server from a web browser
> using ssl (i.e. type https://my.vncserver.com:5800/). Is this
> possible? Or is there a way to wrap the vncserver with a ssl "tunnelling"
> program? I am considering this for a Linux box running apache and open_ssl.
>
Well, I don't know about those patches, but I have experimented with
posting rfb to a url, and then forwarding it to a vncserver. I did it
both with http and https.
I encountered several problems:
- high overhead, low responsiveness
- viewer does requests for frame buffer updates, resulting in huge proxy
access logs (the ability to use http proxies with just a sandboxed
applet is convenient though!) This is a major problem, although one
sysadm told me his logs are huge anyway.
- while using https my browsers close the connection to a http proxy
after every http request/response (pity!). For simulative duplex
communication, this means https on its own does not provide the security
we need (https does not use client authentication by default), and is
not a solution to the previous problem.
- Maybe I should not enable employees to break their companies security
policy (see also my response to Wez in other thread, maybe we need a
discussion about it?).
You can find the results of my efforts here:
http://www1.tip.nl/t515027/brandgang/ A vncviewer is not included, for
the above reasons. I did a quick https version with Suns JSSE, but that
is also not included.
Off course you could implement a SSL without a http layer, but I have
not looked into that. The nice thing about https tunneling with an
applet would be, that all the needed SSL stuff is already available in
the browser, and the http layer allows for easy traversing firewalls.
Maybe someone can tell me why browsers are not persistent when using a
http proxy for https, or point me to some docs. The only thing the http
specs mention, is that CONNECT is a reserved request method!
--
Harmen
http://www1.tip.nl/~t515027/
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
