Open mestag-a opened 5 years ago
X509 is currently only used to authenticate the server, not the client. So basically how most web servers work.
It should theoretically be possible to use client certificates as well, but this is not implemented at the moment. It could also require a protocol extension to work really well.
I have crypto experience. I could work on this...
Go right ahead. We have the development mailing list if you want to discuss technical details.
I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.
I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.
Can you create a PR so it can be reviewed?
X509 is currently only used to authenticate the server, not the client. So basically how most web servers work.
Not exactly true. Apache has SSLVerifyClient require
for exactly this purpose. And SSLVerifyDepth n
controls how far up the certificate has to "ladder up" to a trusted root CA.
It should theoretically be possible to use client certificates as well, but this is not implemented at the moment. It could also require a protocol extension to work really well.
This is a nice feature. but because gnutls does not support cross-platform (e.g., msvc compilation is not supported), it is recommended to use openSSL for this feature
client_cert.patch.txt I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.
Can you create a PR so it can be reviewed?
Please review the code. I have try create a PR https://github.com/TigerVNC/tigervnc/pull/1842
Is there a technical reason why the X509CA configuration option is available on the client side, but not the server side ? I wanted to use this so that a VNC server would only accept client connections from users with a certificate signed from the configured CA. It is possible to configure OpenVPN and SSH to trust a given CA, so I was wondering why this "trusting feature" was implemented the other way around in TigerVNC.