x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc

to -anontls. Disable ssl caching. No cert creation prompting in inetd or bg modes. waitpid a bit more carefully on ssl helpers. Tune ssl initial timeouts. Let -create user specify starting X display. fix -rfbport prompt gui for older tk. -sslonly option. Error if no -ssl with related options. -rand option. -ssl implies -ssl SAVE

x11vnc: 0.9.6 release. Some strtok bugfixes. rename -tlsvnc
to -anontls. Disable ssl caching. No cert creation prompting in inetd or bg modes. waitpid a bit more carefully on ssl helpers. Tune ssl initial timeouts. Let -create user specify starting X display. fix -rfbport prompt gui for older tk. -sslonly option. Error if no -ssl with related options. -rand option. -ssl implies -ssl SAVE
8bef644d · runge · e6819291 · 8bef644d · 8bef644d · 8bef644d
Commit 8bef644d authored Dec 10, 2008 by runge
18 changed files
--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
+2008-12-10  Karl Runge <runge@karlrunge.com>
+	* x11vnc: 0.9.6 release.  Some strtok bugfixes. rename -tlsvnc
+	  to -anontls.	Disable ssl caching.  No cert creation prompting
+	  in inetd or bg modes.  waitpid a bit more carefully on ssl
+	  helpers.  Tune ssl initial timeouts.	Let -create user specify
+	  starting X display.  fix -rfbport prompt gui for older tk.
+	  -sslonly option. Error if no -ssl with related options. -rand
+	  option.  -ssl implies -ssl SAVE
 2008-11-22  Karl Runge <runge@karlrunge.com>
 	* x11vnc: x11vnc.desktop file. -reopen, -dhparams, -sslCRL,
 	  -setdefer options. -rfbport PROMPT VeNCrypt and TLSVNC SSL/TLS

--- a/x11vnc/README
+++ b/x11vnc/README
--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -2338,6 +2338,7 @@ static int do_reverse_connect(char *str_in) {
 			write(vncsock, prestring, prestring_len);
 			free(prestring);
 		}
+/* XXX use header */
 #define OPENSSL_REVERSE 4
 		openssl_init(1);
 		accept_openssl(OPENSSL_REVERSE, vncsock);
@@ -2345,6 +2346,7 @@ static int do_reverse_connect(char *str_in) {
 		free(host);
 		return 1;
 	}
 	if (use_stunnel) {
 		if(strcmp(host, "localhost") && strcmp(host, "127.0.0.1")) {
 			if (!getenv("STUNNEL_DISABLE_LOCALHOST")) {
@@ -2427,20 +2429,31 @@ void reverse_connect(char *str) {
 	int sleep_min = 1500, sleep_max = 4500, n_max = 5;
 	int n, tot, t, dt = 100, cnt = 0;
 	int nclients0 = client_count;
+	int lcnt, j;
+	char **list;
 	if (unixpw_in_progress) return;
 	tmp = strdup(str);
+	list = (char **) calloc( (strlen(tmp)+2) * sizeof (char *), 1);
+	lcnt = 0;
 	p = strtok(tmp, ", \t\r\n");
 	while (p) {
+		list[lcnt++] = strdup(p);
+		p = strtok(NULL, ", \t\r\n");
+	}
+	free(tmp);
+	for (j = 0; j < lcnt; j++) {
+		p = list[j];
 		if ((n = do_reverse_connect(p)) != 0) {
 			rfbPE(-1);
 		}
 		cnt += n;
+		if (list[j+1] != NULL) {
-		p = strtok(NULL, ", \t\r\n");
-		if (p) {
 			t = 0;
 			while (t < sleep_between_host) {
 				usleep(dt * 1000);
@@ -2449,7 +2462,12 @@ void reverse_connect(char *str) {
 			}
 		}
 	}
-	free(tmp);
+	for (j = 0; j < lcnt; j++) {
+		p = list[j];
+		if (p) free(p);
+	}
+	free(list);
 	if (cnt == 0) {
 		if (connect_or_exit) {
@@ -2739,6 +2757,9 @@ void check_gui_inputs(void) {
 	for (i=0; i<n; i++) {
 		int k, fd = icon_mode_socks[socks[i]];
 		char *p;
+		char **list;
+		int lind;
 		if (! FD_ISSET(fd, &fds)) {
 			continue;
 		}
@@ -2752,8 +2773,18 @@ void check_gui_inputs(void) {
 			continue;
 		}
+		list = (char **) calloc((strlen(buf)+2) * sizeof(char *), 1);
+		lind = 0;
 		p = strtok(buf, "\r\n");
 		while (p) {
+			list[lind++] = strdup(p);
+			p = strtok(NULL, "\r\n");
+		}
+		lind = 0;
+		while (list[lind] != NULL) {
+			p = list[lind++];
 			if (strstr(p, "cmd=") == p ||
 			    strstr(p, "qry=") == p) {
 				char *str = process_remote_cmd(p, 1);
@@ -2769,8 +2800,14 @@ void check_gui_inputs(void) {
 					break;
 				}
 			}
-			p = strtok(NULL, "\r\n");
 		}
+		lind = 0;
+		while (list[lind] != NULL) {
+			p = list[lind++];
+			if (p) free(p);
+		}
+		free(list);
 	}
 }

--- a/x11vnc/help.c
+++ b/x11vnc/help.c
--- a/x11vnc/options.c
+++ b/x11vnc/options.c
@@ -34,7 +34,7 @@ char *enc_str = NULL;
 int vencrypt_mode = VENCRYPT_SUPPORT;
 int vencrypt_kx = VENCRYPT_BOTH;
 int vencrypt_enable_plain_login = 0;
-int tlsvnc_mode = TLSVNC_SUPPORT;
+int anontls_mode = ANONTLS_SUPPORT;
 int create_fresh_dhparams = 0;
 char *dhparams_file = NULL;
 int https_port_num = -1;

--- a/x11vnc/options.h
+++ b/x11vnc/options.h
@@ -34,7 +34,7 @@ extern char *enc_str;
 extern int vencrypt_mode;
 extern int vencrypt_kx;
 extern int vencrypt_enable_plain_login;
-extern int tlsvnc_mode;
+extern int anontls_mode;
 extern int create_fresh_dhparams;
 extern char *dhparams_file;
 extern int https_port_num;

--- a/x11vnc/params.h
+++ b/x11vnc/params.h
@@ -63,9 +63,9 @@
 #define VENCRYPT_NODH		1
 #define VENCRYPT_NOX509		2
-#define TLSVNC_NONE		0
+#define ANONTLS_NONE		0
-#define TLSVNC_SUPPORT		1
+#define ANONTLS_SUPPORT		1
-#define TLSVNC_SOLE		2
+#define ANONTLS_SOLE		2
-#define TLSVNC_FORCE		3
+#define ANONTLS_FORCE		3
 #endif /* _X11VNC_PARAMS_H */
--- a/x11vnc/remote.c
+++ b/x11vnc/remote.c
@@ -327,6 +327,7 @@ int check_httpdir(void) {
 		if ((q = strrchr(prog, '/')) == NULL) {
 			rfbLog("check_httpdir: bad program path: %s\n", prog);
 			free(prog);
+			rfbLog("check_httpdir: *HTTP disabled*  Use -httpdir path\n");
 			return 0;
 		}
@@ -383,6 +384,7 @@ int check_httpdir(void) {
 			rfbLog("check_httpdir: bad guess:\n");
 			rfbLog("   %s\n", httpdir);
+			rfbLog("check_httpdir: *HTTP disabled*  Use -httpdir path\n");
 			return 0;
 		}
 	}

--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
--- a/x11vnc/ssltools.h
+++ b/x11vnc/ssltools.h
@@ -394,7 +394,7 @@ char genCert[] =
 "	else\n"
 "	echo \"the key and pretend to be your VNC client.  The downside is it is\"\n"
 "	fi\n"
-"	echo \"inconvenient because you will have to supply the passphrase every\"\n"
+"	echo \"inconvenient because you will need to supply the passphrase EVERY\"\n"
 "	if [ \"x$type\" = \"xserver\" ]; then\n"
 "	echo \"time you start x11vnc using this key.\"\n"
 "	else\n"
@@ -402,9 +402,24 @@ char genCert[] =
 "	fi\n"
 "	echo \"\"\n"
 "	if [ \"X$GENCERT_NOPROMPT\" = \"X\" ]; then\n"
-"		printf \"Protect key with a passphrase?  [y]/n \"\n"
+"		x=\"\"\n"
-"		read x\n"
+"		for tp in 1 2 3\n"
+"		do\n"
+"			printf \"Protect key with a passphrase?  y/n \"\n"
+"			read x\n"
+"			x=`echo \"$x\" | tr 'A-Z' 'a-z' | sed -e 's/[ 	]//g'`\n"
+"			if [ \"X$x\" = \"Xy\" -o \"X$x\" = \"Xn\" ]; then\n"
+"				break;\n"
+"			else \n"
+"				echo \"Please reply with \\\"y\\\" or \\\"n\\\".\"\n"
+"			fi\n"
+"		done\n"
+"		if [ \"X$x\" != \"Xy\" -a \"X$x\" != \"Xn\" ]; then\n"
+"			echo \"Assuming reply \\\"n\\\".\"\n"
+"			x=n\n"
+"		fi\n"
 "	else\n"
+"		echo \"NOT protecting private key with passphrase.\"\n"
 "		x=n\n"
 "	fi\n"
 "	estr=\" *unencrypted*\"\n"
@@ -1273,12 +1288,17 @@ char create_display[] =
 "\n"
 "findfree() {\n"
 "	try=20\n"
+"	sry=99\n"
+"	if [ \"X$X11VNC_CREATE_STARTING_DISPLAY_NUMBER\" != \"X\" ]; then\n"
+"		try=$X11VNC_CREATE_STARTING_DISPLAY_NUMBER\n"
+"		sry=`expr $try + 99`\n"
+"	fi\n"
 "	n=\"\"\n"
 "	nsout=\"\"\n"
 "	if [ \"X$have_netstat\" != \"X\" ]; then\n"
 "		nsout=`$have_netstat -an`\n"
 "	fi\n"
-"	while [ $try -lt 99 ]\n"
+"	while [ $try -lt $sry ]\n"
 "	do\n"
 "		if [ ! -f \"/tmp/.X${try}-lock\" ]; then\n"
 "			if echo \"$nsout\" | grep \"/tmp/.X11-unix/X${try}[ 	]*\\$\" > /dev/null; then\n"
@@ -1517,6 +1537,7 @@ char create_display[] =
 "		sess=\"env $sess\"\n"
 "	fi\n"
 "	redir_daemon=`echo \"$redir_daemon\" | sed -e 's/^,*//'`\n"
+"	echo \"redir_daemon=$redir_daemon\" 1>&2\n"
 "}\n"
 "\n"
 "rchk() {\n"
@@ -1730,12 +1751,13 @@ char create_display[] =
 "#	fi\n"
 "\n"
 "	if [ \"X$redir_daemon\" != \"X\" -a \"X$result\" = \"X1\" ]; then\n"
-"		redir_daemon=`echo \"$redir_daemon\" | sed -e 's|[^A-z0-9:,/]||g'`\n"
+"		redir_daemon=`echo \"$redir_daemon\" | sed -e 's/[~!$&*()|;?<>\"]//g' -e \"s/'//g\"`\n"
 "		xprog=$X11VNC_PROG\n"
 "		if [ \"X$xprog\" = \"X\" ]; then\n"
 "			xprog=x11vnc\n"
 "		fi\n"
-"		$have_nohup sh -c \"$xprog -sleepin 10 -auth $authfile -tsd $redir_daemon\" 2>.tsd.log.$USER 1>&2 &\n"
+"		echo \"running: $xprog -sleepin 10 -auth $authfile -tsd '$redir_daemon'\" 1>&2\n"
+"		$have_nohup sh -c \"$xprog -sleepin 10 -auth $authfile -tsd '$redir_daemon' &\" 2>.tsd.log.$USER 1>&2 &\n"
 "	fi\n"
 "}\n"
 "\n"

--- a/x11vnc/tkx11vnc
+++ b/x11vnc/tkx11vnc
@@ -414,6 +414,7 @@ Tuning
 	grow:
 	fuzz:
 	wait_ui:
+	setdefer:
 	nowait_bog
 	slow_fb:
 	xrefresh:
@@ -6460,8 +6461,11 @@ proc do_port_prompt {} {
    vncviewer $hn:0
    vncviewer $hn:1
    etc.
+ Your firewall may block incoming connections to TCP ports;
+ if it does you may need to reconfigure it. 
- You may also set some additional parameters:
+ You can also set some additional parameters:
    - Enable SSL encryption.
      (requires an SSL enabled vncviewer, such as SSVNC)  
@@ -6477,9 +6481,24 @@ proc do_port_prompt {} {
 	wm protocol .   WM_DELETE_WINDOW "destroy .; exit"
 	wm protocol .pp WM_DELETE_WINDOW "destroy .pp; exit"
-	label .pp.m -text "$text" -justify left -font $ffont
+	label .pp.m -text "$text" -relief ridge -justify left -font $ffont
+	global tk_version
+	set tkold 0
+	if [info exists tk_version] {
+		if [regexp {^8\.[0-3]$} $tk_version] {
+			set tkold 1
+		}
+		if [regexp {^[3-7]\.} $tk_version] {
+			set tkold 1
+		}
+	}
-	frame .pp.f -bd 1 -relief ridge -pady 2
+	if {$tkold} {
+		frame .pp.f -bd 1 -relief ridge
+	} else {
+		frame .pp.f -bd 1 -relief ridge -pady 2
+	}
 	label .pp.f.l -text "Port: "
 	entry .pp.f.e -width 8 -textvariable port_set
 	global enable_ssl; set enable_ssl 0
@@ -6495,7 +6514,11 @@ proc do_port_prompt {} {
 	pack .pp.f.l .pp.f.e -side left
 	pack .pp.f.loc .pp.f.ssl -side right
-	frame .pp.t -bd 1 -relief ridge -pady 2
+	if {$tkold} {
+		frame .pp.t -bd 1 -relief ridge
+	} else {
+		frame .pp.t -bd 1 -relief ridge -pady 2
+	}
 	global file_transfer; set file_transfer "none"
 	if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {
 		set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)
@@ -7077,7 +7100,7 @@ proc check_setpasswd {} {
 		set m "${m} 'Apply' to allow incoming connections.\n" 
 		set m "${m}\n" 
 		set m "${m} The passwords are only for this x11vnc\n" 
-		set m "${m} session and are not saved. Run x11vnc\n" 
+		set m "${m} session and are not saved.  Run x11vnc\n" 
 		set m "${m} manually for more control.\n" 
 		set m "${m}\n" 
 		set m "${m} See 'Help' for details on each option.\n" 

--- a/x11vnc/tkx11vnc.h
+++ b/x11vnc/tkx11vnc.h
@@ -425,6 +425,7 @@ char gui_code[] = "";
 "	grow:\n"
 "	fuzz:\n"
 "	wait_ui:\n"
+"	setdefer:\n"
 "	nowait_bog\n"
 "	slow_fb:\n"
 "	xrefresh:\n"
@@ -6471,8 +6472,11 @@ char gui_code[] = "";
 "    vncviewer $hn:0\n"
 "    vncviewer $hn:1\n"
 "    etc.\n"
+"\n"
+" Your firewall may block incoming connections to TCP ports;\n"
+" if it does you may need to reconfigure it. \n"
 "    \n"
-" You may also set some additional parameters:\n"
+" You can also set some additional parameters:\n"
 "\n"
 "    - Enable SSL encryption.\n"
 "      (requires an SSL enabled vncviewer, such as SSVNC)  \n"
@@ -6488,9 +6492,24 @@ char gui_code[] = "";
 "	wm protocol .   WM_DELETE_WINDOW \"destroy .; exit\"\n"
 "	wm protocol .pp WM_DELETE_WINDOW \"destroy .pp; exit\"\n"
 "\n"
-"	label .pp.m -text \"$text\" -justify left -font $ffont\n"
+"	label .pp.m -text \"$text\" -relief ridge -justify left -font $ffont\n"
+"\n"
+"	global tk_version\n"
+"	set tkold 0\n"
+"	if [info exists tk_version] {\n"
+"		if [regexp {^8\\.[0-3]$} $tk_version] {\n"
+"			set tkold 1\n"
+"		}\n"
+"		if [regexp {^[3-7]\\.} $tk_version] {\n"
+"			set tkold 1\n"
+"		}\n"
+"	}\n"
 "\n"
-"	frame .pp.f -bd 1 -relief ridge -pady 2\n"
+"	if {$tkold} {\n"
+"		frame .pp.f -bd 1 -relief ridge\n"
+"	} else {\n"
+"		frame .pp.f -bd 1 -relief ridge -pady 2\n"
+"	}\n"
 "	label .pp.f.l -text \"Port: \"\n"
 "	entry .pp.f.e -width 8 -textvariable port_set\n"
 "	global enable_ssl; set enable_ssl 0\n"
@@ -6506,7 +6525,11 @@ char gui_code[] = "";
 "	pack .pp.f.l .pp.f.e -side left\n"
 "	pack .pp.f.loc .pp.f.ssl -side right\n"
 "\n"
-"	frame .pp.t -bd 1 -relief ridge -pady 2\n"
+"	if {$tkold} {\n"
+"		frame .pp.t -bd 1 -relief ridge\n"
+"	} else {\n"
+"		frame .pp.t -bd 1 -relief ridge -pady 2\n"
+"	}\n"
 "	global file_transfer; set file_transfer \"none\"\n"
 "	if [info exists env(X11VNC_FILETRANSFER_ENABLED)] {\n"
 "		set file_transfer $env(X11VNC_FILETRANSFER_ENABLED)\n"
@@ -7088,7 +7111,7 @@ char gui_code[] = "";
 "		set m \"${m} 'Apply' to allow incoming connections.\\n\" \n"
 "		set m \"${m}\\n\" \n"
 "		set m \"${m} The passwords are only for this x11vnc\\n\" \n"
-"		set m \"${m} session and are not saved. Run x11vnc\\n\" \n"
+"		set m \"${m} session and are not saved.  Run x11vnc\\n\" \n"
 "		set m \"${m} manually for more control.\\n\" \n"
 "		set m \"${m}\\n\" \n"
 "		set m \"${m} See 'Help' for details on each option.\\n\" \n"

--- a/x11vnc/user.c
+++ b/x11vnc/user.c
@@ -224,12 +224,12 @@ static char **user_list(char *user_str) {
 			n++;
 		}
 	}
-	list = (char **) malloc((n+1)*sizeof(char *));
+	list = (char **) calloc((n+1)*sizeof(char *), 1);
 	p = strtok(user_str, ",");
 	i = 0;
 	while (p) {
-		list[i++] = p;
+		list[i++] = strdup(p);
 		p = strtok(NULL, ",");
 	}
 	list[i] = NULL;
@@ -327,6 +327,8 @@ static int lurk(char **users) {
 	gid_t gid;
 	int success = 0, dmin = -1, dmax = -1;
 	char *p, *logins, **u;
+	char **list;
+	int lind;
 	if ((u = users) != NULL && *u != NULL && *(*u) == ':') {
 		int len;
@@ -402,12 +404,23 @@ static int lurk(char **users) {
 	} else {
 		logins = get_login_list(1);
 	}
+	list = (char **) calloc((strlen(logins)+2)*sizeof(char *), 1);
+	lind = 0;
 	p = strtok(logins, ",");
 	while (p) {
+		list[lind++] = strdup(p);
+		p = strtok(NULL, ",");
+	}
+	free(logins);
+	lind = 0;
+	while (list[lind] != NULL) {
 		char *user, *name, *home, dpystr[10];
 		char *q, *t;
 		int ok = 1, dn;
+		p = list[lind++];
 		t = strdup(p);	/* bob:0 */
 		q = strchr(t, ':'); 
@@ -442,7 +455,6 @@ static int lurk(char **users) {
 		}
 		if (! ok) {
-			p = strtok(NULL, ",");
 			continue;
 		}
@@ -464,10 +476,14 @@ static int lurk(char **users) {
 		if (success) {
 			 break;
 		}
+	}
-		p = strtok(NULL, ",");
+	lind = 0;
+	while (list[lind] != NULL) {
+		free(list[lind]);
+		lind++;
 	}
-	free(logins);
 	return success;
 }
@@ -502,6 +518,8 @@ static int guess_user_and_switch(char *str, int fb_mode) {
 	char *dstr, *d;
 	char *p, *tstr = NULL, *allowed = NULL, *logins, **users = NULL;
 	int dpy1, ret = 0;
+	char **list;
+	int lind;
 	RAWFB_RET(0)
@@ -528,11 +546,22 @@ static int guess_user_and_switch(char *str, int fb_mode) {
 	/* loop over the utmpx entries looking for this display */
 	logins = get_login_list(1);
+	list = (char **) calloc((strlen(logins)+2)*sizeof(char *), 1);
+	lind = 0;
 	p = strtok(logins, ",");
 	while (p) {
+		list[lind++] = strdup(p);
+		p = strtok(NULL, ",");
+	}
+	lind = 0;
+	while (list[lind] != NULL) {
 		char *user, *q, *t;
 		int dpy2, ok = 1;
+		p = list[lind++];
 		t = strdup(p);
 		q = strchr(t, ':'); 
 		if (! q) {
@@ -559,7 +588,6 @@ static int guess_user_and_switch(char *str, int fb_mode) {
 		if (! ok) {
 			free(t);
-			p = strtok(NULL, ",");
 			continue;
 		}
 		if (switch_user(user, fb_mode)) {
@@ -568,8 +596,6 @@ static int guess_user_and_switch(char *str, int fb_mode) {
 			ret = 1;
 			break;
 		}
-		p = strtok(NULL, ",");
 	}
 	if (tstr) {
 		free(tstr);
@@ -1479,6 +1505,7 @@ static void loop_for_connect(int did_client_connect) {
 		}
 		if (use_openssl && !inetd) {
 			check_openssl();
+			check_https();
 			/*
 			 * This is to handle an initial verify cert from viewer,
 			 * they disconnect right after fetching the cert.

--- a/x11vnc/userinput.c
+++ b/x11vnc/userinput.c
@@ -177,9 +177,9 @@ static double scr_key_bdpush_time, scr_mouse_bdpush_time;
 static void parse_scroll_copyrect_str(char *scr) {
 	char *p, *str;
 	int i;
-	char *part[10];
+	char *part[16];
-	for (i=0; i<10; i++) {
+	for (i=0; i<16; i++) {
 		part[i] = NULL;
 	}
@@ -194,6 +194,7 @@ static void parse_scroll_copyrect_str(char *scr) {
 	while (p) {
 		part[i++] = strdup(p);
 		p = strtok(NULL, ",");
+		if (i >= 16) break;
 	}
 	free(str);
@@ -301,9 +302,9 @@ static char *wireframe_mods = NULL;
 static void parse_wireframe_str(char *wf) {
 	char *p, *str;
 	int i;
-	char *part[10];
+	char *part[16];
-	for (i=0; i<10; i++) {
+	for (i=0; i<16; i++) {
 		part[i] = NULL;
 	}
@@ -327,6 +328,7 @@ static void parse_wireframe_str(char *wf) {
 	while (p) {
 		part[i++] = strdup(p);
 		p = strtok(NULL, ",");
+		if (i >= 16) break;
 	}
 	free(str);

--- a/x11vnc/util.c
+++ b/x11vnc/util.c
@@ -333,10 +333,7 @@ char **create_str_list(char *cslist) {
 	}
 	/* the extra last one holds NULL */
-	list = (char **) malloc( (n+1)*sizeof(char *) );
+	list = (char **) calloc((n+1)*sizeof(char *), 1);
-	for(i=0; i < n+1; i++) {
-		list[i] = NULL;
-	}
 	p = strtok(str, ",");
 	i = 0;

--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@@ -243,6 +243,7 @@ void set_redir_properties(void);
 #define TSMAX 32
 #define TSSTK 16
 void terminal_services(char *list) {
 	int i, j, n = 0, db = 1;
 	char *p, *q, *r, *str = strdup(list);
@@ -257,6 +258,10 @@ void terminal_services(char *list) {
 	char num[32];
 	time_t last_clean = time(NULL);
+	if (getenv("TS_REDIR_DEBUG")) {
+		db = 2;
+	}
 	if (! dpy) {
 		return;
 	}
@@ -268,6 +273,8 @@ void terminal_services(char *list) {
 		    PropModeReplace, (unsigned char *)list, strlen(list));
 		XSync(dpy, False);
 	}
+	if (db) fprintf(stderr, "TS_REDIR_LIST Atom: %d.\n");
 	for (i=0; i<TASKMAX; i++) {
 		ts_tasks[i] = 0;
 	}
@@ -544,12 +551,19 @@ void do_tsd(void) {
 	char *cmd;
 	int n, sz = 0;
 	char *disp = DisplayString(dpy);
+	int db = 0;
+	if (getenv("TS_REDIR_DEBUG")) {
+		db = 1;
+	}
+	if (db) fprintf(stderr, "do_tsd() in.\n");
 	prop[0] = '\0';
 	a = XInternAtom(dpy, "TS_REDIR_LIST", False);
 	if (a != None) {
 		get_prop(prop, 512, a);
 	}
+	if (db) fprintf(stderr, "TS_REDIR_LIST Atom: %d = '%s'\n", a, prop);
 	if (prop[0] == '\0') {
 		return;
@@ -662,6 +676,13 @@ static void check_redir_services(void) {
 	time_t tsd_last;
 	int restart = 0;
 	pid_t pid = 0;
+	int db = 0;
+	db = 0;
+	if (getenv("TS_REDIR_DEBUG")) {
+		db = 1;
+	}
+	if (db) fprintf(stderr, "check_redir_services in.\n");
 	if (! dpy) {
 		return;
@@ -675,6 +696,7 @@ static void check_redir_services(void) {
 			pid = (pid_t) atoi(prop);
 		}
 	}
+	if (db) fprintf(stderr, "TS_REDIR_PID Atom: %d = '%s'\n", a, prop);
 	if (getenv("FD_TAG")) {
 		a = XInternAtom(dpy, "FD_TAG", False);
@@ -685,6 +707,7 @@ static void check_redir_services(void) {
 			    PropModeReplace, (unsigned char *)tag, strlen(tag));
 			XSync(dpy, False);
 		}
+		if (db) fprintf(stderr, "FD_TAG Atom: %d = '%s'\n", a, prop);
 	}
 	prop[0] = '\0';
@@ -692,6 +715,7 @@ static void check_redir_services(void) {
 	if (a != None) {
 		get_prop(prop, 512, a);
 	}
+	if (db) fprintf(stderr, "TS_REDIR Atom: %d = '%s'\n", a, prop);
 	if (prop[0] == '\0') {
 		rfbLog("TS_REDIR is empty, restarting...\n");
 		restart = 1;
@@ -718,9 +742,11 @@ static void check_redir_services(void) {
 			kill(pid, SIGKILL);
 		}
 		do_tsd();
+		if (db) fprintf(stderr, "check_redir_services restarted.\n");
 		return;
 	}
+	if (db) fprintf(stderr, "check_redir_services, no restart, calling set_redir_properties.\n");
 	set_redir_properties();
 #endif
 }
@@ -1805,6 +1831,7 @@ int main(int argc, char* argv[]) {
 	int ncache_msg = 0;
 	char *got_rfbport_str = NULL;
 	int got_rfbport_pos = -1;
+	int got_tls = 0;
 	/* used to pass args we do not know about to rfbGetScreen(): */
 	int argc_vnc_max = 1024;
@@ -2188,6 +2215,7 @@ int main(int argc, char* argv[]) {
 		if (!strcmp(arg, "-http_ssl")) {
 			try_http = 1;
 			http_ssl = 1;
+			got_tls++;
 			continue;
 		}
 		if (!strcmp(arg, "-avahi") || !strcmp(arg, "-mdns") || !strcmp(arg, "-zeroconf")) {
@@ -2357,6 +2385,7 @@ int main(int argc, char* argv[]) {
 			char *s;
 			CHECK_ARGC
 			s = strdup(argv[++i]);
+			got_tls++;
 			if (strstr(s, "never")) {
 				vencrypt_mode = VENCRYPT_NONE;
 			} else if (strstr(s, "support")) {
@@ -2385,18 +2414,19 @@ int main(int argc, char* argv[]) {
 			free(s);
 			continue;
 		}
-		if (!strcmp(arg, "-tlsvnc")) {
+		if (!strcmp(arg, "-anontls")) {
 			char *s;
 			CHECK_ARGC
 			s = strdup(argv[++i]);
+			got_tls++;
 			if (strstr(s, "never")) {
-				tlsvnc_mode = TLSVNC_NONE;
+				anontls_mode = ANONTLS_NONE;
 			} else if (strstr(s, "support")) {
-				tlsvnc_mode = TLSVNC_SUPPORT;
+				anontls_mode = ANONTLS_SUPPORT;
 			} else if (strstr(s, "only")) {
-				tlsvnc_mode = TLSVNC_SOLE;
+				anontls_mode = ANONTLS_SOLE;
 			} else if (strstr(s, "force")) {
-				tlsvnc_mode = TLSVNC_FORCE;
+				anontls_mode = ANONTLS_FORCE;
 			} else {
 				fprintf(stderr, "invalid %s arg: %s\n", arg, s);
 				exit(1);
@@ -2407,14 +2437,22 @@ int main(int argc, char* argv[]) {
 			free(s);
 			continue;
 		}
+		if (!strcmp(arg, "-sslonly")) {
+			vencrypt_mode = VENCRYPT_NONE;
+			anontls_mode = ANONTLS_NONE;
+			got_tls++;
+			continue;
+		}
 		if (!strcmp(arg, "-dhparams")) {
 			CHECK_ARGC
 			dhparams_file = strdup(argv[++i]);
+			got_tls++;
 			continue;
 		}
 		if (!strcmp(arg, "-nossl")) {
 			use_openssl = 0;
 			openssl_pem = NULL;
+			got_tls = -1000;
 			continue;
 		}
 		if (!strcmp(arg, "-ssl")) {
@@ -2422,9 +2460,21 @@ int main(int argc, char* argv[]) {
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
-					openssl_pem = strdup(s);
+					if (!strcmp(s, "ADH")) {
+						openssl_pem = strdup("ANON");
+					} else if (!strcmp(s, "ANONDH")) {
+						openssl_pem = strdup("ANON");
+					} else if (!strcmp(s, "TMP")) {
+						openssl_pem = NULL;
+					} else {
+						openssl_pem = strdup(s);
+					}
 					i++;
+				} else {
+					openssl_pem = strdup("SAVE");
 				}
+			} else {
+				openssl_pem = strdup("SAVE");
 			}
 			continue;
 		}
@@ -2458,11 +2508,13 @@ int main(int argc, char* argv[]) {
 		if (!strcmp(arg, "-sslverify")) {
 			CHECK_ARGC
 			ssl_verify = strdup(argv[++i]);
+			got_tls++;
 			continue;
 		}
 		if (!strcmp(arg, "-sslCRL")) {
 			CHECK_ARGC
 			ssl_crl = strdup(argv[++i]);
+			got_tls++;
 			continue;
 		}
 		if (!strcmp(arg, "-sslGenCA")) {
@@ -2522,15 +2574,19 @@ int main(int argc, char* argv[]) {
 				sslEncKey(s, 2);
 			}
 			exit(0);
 			continue;
 		}
 		if (!strcmp(arg, "-stunnel")) {
 			use_stunnel = 1;
+			got_tls = -1000;
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
-					stunnel_pem = strdup(s);
+					if (!strcmp(s, "TMP")) {
+						stunnel_pem = NULL;
+					} else {
+						stunnel_pem = strdup(s);
+					}
 					i++;
 				}
 			}
@@ -2538,10 +2594,15 @@ int main(int argc, char* argv[]) {
 		}
 		if (!strcmp(arg, "-stunnel3")) {
 			use_stunnel = 3;
+			got_tls = -1000;
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
-					stunnel_pem = strdup(s);
+					if (!strcmp(s, "TMP")) {
+						stunnel_pem = NULL;
+					} else {
+						stunnel_pem = strdup(s);
+					}
 					i++;
 				}
 			}
@@ -2550,6 +2611,7 @@ int main(int argc, char* argv[]) {
 		if (!strcmp(arg, "-https")) {
 			https_port_num = 0;
 			try_http = 1;
+			got_tls++;
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
@@ -2561,6 +2623,7 @@ int main(int argc, char* argv[]) {
 		}
 		if (!strcmp(arg, "-httpsredir")) {
 			https_port_redir = -1;
+			got_tls++;
 			if (i < argc-1) {
 				char *s = argv[i+1];
 				if (s[0] != '-') {
@@ -3410,6 +3473,12 @@ int main(int argc, char* argv[]) {
 			use_snapfb = 1;
 			continue;
 		}
+		if (!strcmp(arg, "-rand")) {
+			/* equiv. to -nopw -rawfb rand for quick tests */
+			raw_fb_str = strdup("rand");
+			nopw = 1;
+			continue;
+		}
 		if (!strcmp(arg, "-rawfb")) {
 			CHECK_ARGC
 			raw_fb_str = strdup(argv[++i]);
@@ -4091,6 +4160,18 @@ int main(int argc, char* argv[]) {
 		if (db) fprintf(stderr, "users_list: %s\n", users_list);
 	}
+	if (got_tls > 0 && !use_openssl) {
+		rfbLog("SSL: Error: you did not supply the '-ssl ...' option even\n");
+		rfbLog("SSL: though you supplied one of these related options:\n");
+		rfbLog("SSL:   -sslonly, -sslverify, -sslCRL, -vencrypt, -anontls,\n");
+		rfbLog("SSL:   -dhparams, -https, -http_ssl, or -httpsredir.\n");
+		rfbLog("SSL: Restart with, for example, '-ssl SAVE' on the cmd line.\n");
+		rfbLog("SSL: See the '-ssl' x11vnc -help description for more info.\n");
+		if (!getenv("X11VNC_FORCE_NO_OPENSSL")) {
+			exit(1);
+		}
+	}
 	if (unixpw) {
 		if (inetd) {
 			use_stunnel = 0;
@@ -5049,12 +5130,12 @@ if (0) fprintf(stderr, "XA: %s\n", getenv("XAUTHORITY"));
 	initialize_speeds();
-	if (speeds_read_rate_measured > 100) {
+	if (speeds_read_rate_measured > 80) {
-		/* framebuffer read is fast at  > 100 MB/sec */
+		/* framebuffer read is fast at > 80 MB/sec */
 		if (! got_waitms) {
 			waitms /= 2;
-			if (waitms < 10) {
+			if (waitms < 5) {
-				waitms = 10;
+				waitms = 5;
 			}
 			if (!quiet) {
 				rfbLog("fast read: reset wait  ms to: %d\n", waitms);

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.6 lastmod: 2008-11-22";
+char lastmod[] = "0.9.6 lastmod: 2008-12-08";
 /* X display info */