X509 client authentication

TigerVNC / tigervnc

High performance, multi-platform VNC client and server

https://tigervnc.org

GNU General Public License v2.0

5.1k stars 935 forks source link

X509 client authentication #787

Open mestag-a opened 5 years ago

mestag-a commented 5 years ago

Is there a technical reason why the X509CA configuration option is available on the client side, but not the server side ? I wanted to use this so that a VNC server would only accept client connections from users with a certificate signed from the configured CA. It is possible to configure OpenVPN and SSH to trust a given CA, so I was wondering why this "trusting feature" was implemented the other way around in TigerVNC.

--- Want to back this issue? **[Post a bounty on it!](https://app.bountysource.com/issues/68668413-x509-client-authentication?utm_campaign=plugin&utm_content=tracker%2F3557444&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://app.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F3557444&utm_medium=issues&utm_source=github).

CendioOssman commented 5 years ago

X509 is currently only used to authenticate the server, not the client. So basically how most web servers work.

It should theoretically be possible to use client certificates as well, but this is not implemented at the moment. It could also require a protocol extension to work really well.

pprindeville commented 3 years ago

I have crypto experience. I could work on this...

CendioOssman commented 3 years ago

Go right ahead. We have the development mailing list if you want to discuss technical details.

opentissandy commented 1 day ago

client_cert.patch.txt Screenshot_20241006_185741

I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.

pprindeville commented 21 hours ago

client_cert.patch.txt

I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.

Can you create a PR so it can be reviewed?

pprindeville commented 21 hours ago

X509 is currently only used to authenticate the server, not the client. So basically how most web servers work.

Not exactly true. Apache has SSLVerifyClient require for exactly this purpose. And SSLVerifyDepth n controls how far up the certificate has to "ladder up" to a trusted root CA.

It should theoretically be possible to use client certificates as well, but this is not implemented at the moment. It could also require a protocol extension to work really well.

KangLin commented 20 hours ago

This is a nice feature. but because gnutls does not support cross-platform (e.g., msvc compilation is not supported), it is recommended to use openSSL for this feature

opentissandy commented 4 hours ago

client_cert.patch.txt I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.

Can you create a PR so it can be reviewed?

Please review the code. I have try create a PR https://github.com/TigerVNC/tigervnc/pull/1842