Unrecognized RFB version using TigerVNC

[discofever]

Playing around with noVNC i'm not able to connect to TigerVNC, giving the following error :

"reading version failed: not an RFB client?"

Using Xvnc TigerVNC 1.0.1 - built Mar 25 2010 18:01:18

[kanaka]

Sounds like you aren't using wsproxy, or you are connecting directly to the TigerVNC port instead of the wsproxy port. Until VNC servers have WebSockets support you have to connect via wsproxy. I'll close the bug, but if you are using wsproxy properly and still getting the problem, please re-open the bug.

[discofever]

thx for the fast reply; right, i was trying to connect directly. I can't use wsproxy for that particular project, but will it work with stunnel instead ?

[discofever]

actually i'm using a modified version of stunnel that accept the 'CONNECT' param from a modifier java vnc viewer applet like this : http://www.xs4all.nl/~harmwal/vnc/readme.html

Specifying the connect string with :

param name="host" value="publicip" param name="port" value="443" param name="CONNECT" value="lanserverip:serverport"

Can i modify novnc to add that string on connection ?

I'd really appreciate your help on that (if you can)

[kanaka]

Unfortunately, no. wsproxy converts between the WebSockets protocol and normal TCP sockets. The WebSockets protocol has support for SSL/TLS, so wsproxy can be used to allow encrypted connections to a non-encrypted server (much like stunnel). But stunnel only adds encryption, not WebSockets handshake and framing.

WebSockets support would be an interesting additional feature to add to stunnel. I'll file a feature issue for that. Can't guarantee when I'll be able to get around to it though.

[discofever]

ok i now understand the underlaying problem; sorry for my ignorance. Will give a try to wsproxy and get rid of stunnel.

thank you for taking time to reply, i appreciate that.

[kanaka]

Please note that wsproxy is young and has had very little shakeout relative to security issues. stunnel has been around for quite a while and has had many eyes looking at it and fixing security issues. If you are going to run it in production exposed directly to the Internet, you probably want to have somebody with good security expertise go over it first (and report back any issues :-) ).

[discofever]

agreed, my application is a really critical one.

just followed your stunnel websocket path and found this interesting post : http://siriux.net/2010/08/php-websocket-server/ (scroll down to the last comment)

looks like it's possible ? what do you think ?

[kanaka]

Well phpwebsocket is even younger (and larger code-wise) than wsproxy so I would still have somebody with security audit experience go over it. phpwebsocket might be easier to integrate into your environment than wsproxy but it doesn't necessarily give a security advantage.

Obviously, encrypted connections are critical, but they aren't the only consideration. Putting stunnel in front of a service doesn't necessarily make it more secure (it just mitigates the issue of eaves dropping). Here are some other issues to consider (that apply to stunnel, phpwebsockets, wsproxy, whatever):

• Can somebody just DDOS your server easily via this new service?
• Are there buffer overflows possible in the service that might allow escalating of privilege or over-writing files on server?
• Does the service allow the client to bounce through to an arbitrary port? i.e. can they now connect to your unsecured DB running on the server (or another server in the same network)?
• Is the service that is being proxied secure itself? The VNC server itself may have these problems too.

Just some thoughts.

[discofever]

ok i think i'll follow the vncserver change path as it looks less complicated to change for me. Will report success here later.

[discofever]

just opened an issue for libvncserver