Synchronize ssvnc 1.0.26. Improvements to perl scripts desktop.cgi, connect_switch and inet6to4.

91d0e2fd · runge · 97540de5 · 91d0e2fd · 91d0e2fd · 91d0e2fd
Commit 91d0e2fd authored Apr 09, 2010 by runge
13 changed files
--- a/x11vnc/misc/connect_switch
+++ b/x11vnc/misc/connect_switch
@@ -211,6 +211,7 @@ if (exists $ENV{CONNECT_SWITCH_PIDFILE}) {
 #	CONNECT_SWITCH_BUFSIZE
 #	CONNECT_SWITCH_LOGFILE
 #	CONNECT_SWITCH_PIDFILE
+#	CONNECT_SWITCH_MAX_CONNECTIONS
 #
 # You can also set these on the cmdline:
 #      connect_switch CONNECT_SWITCH_LISTEN=X CONNECT_SWITCH_ALLOW_FILE=Y ...
@@ -335,6 +336,13 @@ if (exists $ENV{CONNECT_SWITCH_VERBOSE}) {
 	$verbose = $ENV{CONNECT_SWITCH_VERBOSE};
 }
+# zero means loop forever, positive value means exit after handling that
+# many connections.
+#
+my $cmax = 0;
+if (exists $ENV{CONNECT_SWITCH_MAX_CONNECTIONS}) {
+	$cmax = $ENV{CONNECT_SWITCH_MAX_CONNECTIONS};
+}
 #===========================================================================
@@ -384,6 +392,10 @@ my $conn = 0;
 while (1) {
 	$conn++;
+	if ($cmax > 0 && $conn > $cmax) {
+		print STDERR "last connection ($cmax)\n" if $verbose; 
+		last;
+	}
 	print STDERR "listening for connection: $conn\n" if $verbose; 
 	my ($client, $ip) = $listen_sock->accept();
 	if (! $client) {

--- a/x11vnc/misc/desktop.cgi
+++ b/x11vnc/misc/desktop.cgi
 #!/usr/bin/perl
 #
-# desktop.cgi
+##########################################################################
+# desktop.cgi:
+#
+# This is an example CGI script to provide multi-user web access to
+# x11vnc desktops.  The user desktop sessions run in 'Xvfb' displays
+# that are created automatically.
+#
+# This script should/must be served by an HTTPS (i.e. SSL) webserver,
+# otherwise the unix and vnc passwords would be sent over the network
+# unencrypted (see below to disable if you really want to.)
+#
+# The Java VNC Viewer applet connections are encrypted by SSL as well.
+#
+# You can use this script to provide unix users desktops available on
+# demand via any Java enabled web browser.  One could also use this for
+# a special-purpose 'single application' service running in a minimal
+# window manager.
+#
+# One example of a special-purpose application would be a scientific
+# data visualization tool running on a server where the data is housed.
+# To do this set $x11vnc_extra_opts = '-env FD_PROG=/path/to/app/launcher'
+# where the program launches your special purpose application.  A very
+# simple example:  '-env FD_PROG=/usr/bin/xclock'
+# 
+#
+# Depending on where you place this script, the user accesses the service
+# with the URL:
+#
+#     https://your.webserver.net/cgi-bin/desktop.cgi
+#
+# Then they login with their unix username and password to get their
+# own desktop session.
+#
+# If the user has an existing desktop it is connected to directly,
+# otherwise a new session is created inside an Xvfb display and then
+# connected to by VNC.
+#
+# It is possible to do port redirection to other machines running SSL
+# enabled VNC servers (see below.)  This script does not start the VNC
+# servers on the other machines, although with some extra rigging you
+# should be able to do that as well.
+#
+# You can customize the login procedure to whatever you want by modifying
+# this script, or by using ideas in this script write your own PHP,
+# (for example), script.
+#
+##########################################################################
+# Overriding default settings:
+#
+# If you want to override any settings in this script and do not
+# want to edit this script create the assignments in a file named
+# 'desktop.cgi.conf' in the same directory as desktop.cgi.  It will be
+# sourced after the defaults are set.  The format of desktop.cgi.conf
+# is simply perl statements that make the assignments.
+#
+# For example, if you put something like this in desktop.cgi.conf:
+#
+#	$x11vnc = '/usr/local/bin/x11vnc';
+#
+# that will set the path to the x11vnc binary to that location.  Look at
+# the settings below for the other variables that you can modify, for
+# example one could set $allowed_users_file.
+#
+##########################################################################
+# x11vnc:
 #
-# An example cgi script to provide multi-user web access to x11vnc
+# You need to install x11vnc or otherwise have it available.  It is
-# desktops.  This script should/must be served by an HTTPS webserver,
+# REQUIRED that you use x11vnc 0.9.10 or later.  It won't work with
-# otherwise the unix and vnc passwords are sent over the network
+# earlier versions.  See below the $x11vnc parameter that you can set
-# unencrypted (see below to disable)
+# to the full path to x11vnc.
+#
+##########################################################################
+# Xvfb:
 #
 # Note that the x11vnc -create virtual desktop service used below requires
-# that you install the 'Xvfb' program.
+# that you install the 'Xvfb' program.  On debian this is currently done
+# via 'apt-get install xvfb'.
+#
+# If you are having trouble getting 'x11vnc -create' to work with this
+# script (it can be tricky), try it manually and/or see the x11vnc FAQ
+# links below.
+#
+##########################################################################
+# Apache httpd:
+#
+# You should put this script in, say, a cgi-bin directory.  Enable cgi
+# scripts in your apache (or other httpd) config.  For example, we have
+# these lines (not commented):
+#
+# In httpd.conf:
 #
-# You should put this script in, say, a cgi-bin directory.
+#	ScriptAlias /cgi-bin/ "/dist/apache/2.0/cgi-bin/"
+#
+#	<Directory "/dist/apache/2.0/cgi-bin">
+#	    AllowOverride None
+#	    Options None     
+#	    Order allow,deny
+#	    Allow from all 
+#	</Directory>
+#
+# and in ssl.conf:
+#
+#	<Directory "/dist/apache/2.0/cgi-bin">
+#	    SSLOptions +StdEnvVars
+#	</Directory>
+#
+# Do not be confused by the non-standard /dist/apache/2.0 apache
+# installation location that we happen to use.  Yours will be different.
+#
+# You can test that you have CGI scripts working properly with the 
+# 'test-cgi' and 'printenv' scripts apache provides.
+#
+# Copy this file (desktop.cgi) to /dist/apache/2.0/cgi-bin and then run
+# 'chmod 755 ...' on it to make it executable.
+#
+##########################################################################
+# Applet Jar files served by apache:
 #
 # You will *also* need to copy the x11vnc classes/ssl/UltraViewerSSL.jar
-# file to the document root: /UltraViewerSSL.jar (or change the html
+# file to the httpd DocumentRoot to be accessible by: /UltraViewerSSL.jar
-# at bottom.)
+# in a URL (or change $applet_jar below or the html in $applet_html if
+# you want to use a different location.)
+#
+# This location is relative to the apache DocumentRoot 'htdocs' directory.
+# For our (non-standard location installation) that meant we copied the
+# file to:
+#
+#    /dist/apache/2.0/htdocs/UltraViewerSSL.jar
+#
+# (your DocumentRoot directory will be different.) 
+#
+# The VncViewer.jar (tightvnc) will also work, but you need to change
+# the $applet_jar below.  You can get these jar files from the x11vnc
+# tarball from:
+#
+#    http://www.karlrunge.com/x11vnc/#downloading
+#
+# This script requires x11vnc 0.9.10 or later.
 #
-# Each x11vnc server created for a login will listen on its own port (see
+# Note that the usage mode for this script is a different from regular
-# below for port selection schemes.)  Your firewall must let in these ports.
+# 'x11vnc -http ...' usage where x11vnc acts as a mini web server and
-# It is difficult and not as reliable to do all of this through a single port;
+# serves its own applet jars.  We don't use that mode for this script.
-# however, see the fixed port scheme find_free_port = 'fixed:5900' below.
+# Apache (httpd) serves the jars.
 #
-# Note there are two SSL certificates involved that the user may be
+#
+##########################################################################
+# Notes and Information:
+#
+# Each x11vnc server created for a user login will listen on its own port
+# (see below for port selection schemes.)  Your firewall must let in *ALL*
+# of these ports (e.g. a port range, see below for the syntax.)
+#
+# It is also possible, although not as reliable, to do all of this through
+# a single port, see the fixed port scheme $find_free_port = 'fixed:5910'
+# below.  This single port mode must be different from apache's port
+# (usually 443 for https) and must also be allowed in by your firewall.
+#
+# Note: The fixed port scheme is DISABLED by default.
+#
+# It is also possible to have this script act as a vnc redirector to SSL
+# enabled VNC servers running on *other* machines inside your firewall
+# (presumably the users' desktops) See the $enable_port_redirection
+# setting below.  The user provides 'username@host:port' instead of just
+# 'username' when she logs in.  This script doesn't start VNC servers
+# on those other machines, the servers must be running there already.
+# (If you want this script to start them you will need to add it
+# yourself.)  It is possible to provide a host:port allow list to limit
+# which internal machines and ports can be redirected to.  This is the
+# $port_redirection_allowed_hosts parameter.
+#
+# Note: The vnc redirector scheme is DISABLED by default.
+#
+# Note there are *two* SSL certificates involved that the user may be
 # asked to inspect: apache's SSL cert and x11vnc's SSL cert.  This may
-# confuse the user.
+# confuse naive users.  You may want to use the same cert for both.
 #
 # This script provides one example on how to provide the service.  You can
-# customize to meet your needs, e.g. switch to php, newer modules,
+# customize it to meet your needs, e.g. switch to php, newer cgi modules,
-# different authentication, SQL database, etc.  If you plan to use it
+# different authentication, SQL database for user authentication, etc,
-# in production, please examine all security aspects of it carefully;
+# etc.  If you plan to use it in production, please examine all security
-# read the comments in the script for more info.
+# aspects of it carefully; read the comments in the script for more info.
 #
-# More information and background:
+# More information and background and troubleshooting:
 #
 #      http://www.karlrunge.com/x11vnc/faq.html#faq-xvfb
 #      http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-viewers
@@ -39,6 +190,10 @@
 #      http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-portal
 #      http://www.karlrunge.com/x11vnc/faq.html#faq-unix-passwords
 #      http://www.karlrunge.com/x11vnc/faq.html#faq-userlogin
+#
+#
+# Please also read the comments below for changing specific settings.
+# You can modify them in this script or by override file 'desktop.cgi.conf'
 #-------------------------------------------------------------------------
@@ -64,31 +219,58 @@ use strict;
 use IO::Socket::INET;
+##########################################################################
+# Path to the x11vnc program:
+#
+my $x11vnc = '/usr/bin/x11vnc';
+##########################################################################
+# You can set some extra x11vnc cmdline options here:
+#
+my $x11vnc_extra_opts = '';
+##########################################################################
+# Override the default x11vnc viewer connection timeout of 75 seconds:
+#
+my $x11vnc_timeout = '';
+##########################################################################
 # TCP Ports:
 #
 # Set find_free_port to 1 (or the other modes described below) to
-# autoselect a free port to use.  The default is to use a fixed port
+# autoselect a free port to use.  The default is to use a port based on
-# based on the userid.
+# the userid number (7000 + uid).
 #
 my $find_free_port = 0;
-#
 # Or specify a port range:
 #
 #$find_free_port = '7000-8000';
 #
 # Or indicate to use a kludge to try to do everything through a SINGLE
 # port.  To try to avoid contention on the port, simultaneous instances
-# of this script attempt to 'take turns' using it.
+# of this script attempt to 'take turns' using it the single port.
 #
-#$find_free_port = 'fixed:5900';
+#$find_free_port = 'fixed:5910';
+# This is the starting port for 7000 + uid and also $find_free_port = 1
+# autoselection:
+#
+my $starting_port = 7000;
+##########################################################################
 # Port redirection mode:
 #
-# This is to allow port redirection mode: username@host:port If username
+# This is to enable port redirection mode: username@host:port. If
-# is valid, there will be a port redirection to internal machine
+# username is valid, there will be a port redirection to internal machine
 # host:port.  Presumably there is already an SSL enabled and password
-# protected VNC server running there.  We don't start that server.
+# protected VNC server running there.  We don't start that VNC server.
+# (You might be able to figure out a way to do this yourself.)
+#
 # See the next setting for an allowed hosts file.  The default for port
 # redirection is off.
 #
@@ -108,23 +290,60 @@ my $enable_port_redirection = 0;
 my $port_redirection_allowed_hosts = '';
+##########################################################################
+# Allowed users:
+#
+# To limit which users can use this service, set the following to a file
+# that contains the allowed user names one per line.  Lines starting with
+# the '#' character are skipped.
+#
+my $allowed_users_file = '';
+##########################################################################
+# Denied users:
+#
+# As with $allowed_users_file, but to deny certain users.  Applied after
+# any $allowed_users_file check and overrides the result.
+#
+my $denied_users_file = '';
+##########################################################################
+# trustUrlVncCert applet parameter:
+#
 # Set to 0 to have the java applet html set the parameter
-# trustUrlVncCert=no, i.e. the applet will not automatically accept an
+# trustUrlVncCert=no, i.e. the applet will not automatically accept
-# SSL cert already accepted by an HTTPS URL.  See print_applet_html()
+# an SSL cert already accepted by an HTTPS URL.  See $applet_html and
-# below for more info.
+# print_applet_html() below for more info.
 #
 my $trustUrlVncCert = 1;
+##########################################################################
+# One-time VNC password fifo:
+#
+# For extra security against local untrusted users a fifo is used
+# to copy the one-time VNC password to the user's VNC password file
+# ~user/x11vnc.pw.  If that fifo transfer technique causes problems,
+# you can set this value to 1 to disable the security feature:
+#
+my $disable_vnc_passwd_fifo_safety = 0;
+##########################################################################
 # Comment this out if you don't want PATH modified:
 #
-$ENV{PATH} = "/usr/bin:bin:$ENV{PATH}";
+$ENV{PATH} = "/usr/bin:/bin:$ENV{PATH}";
+##########################################################################
 # For the next two settings, note that most users will be confused that
 # geometry and session are ignored when they are returning to their
 # existing desktop session (x11vnc FINDDISPLAY action.)
+##########################################################################
 # Used below if user did not specify preferred geometry and color depth:
 #
 my $default_geometry = '1024x768x24';
@@ -139,6 +358,7 @@ my $session_types = '';
 #$session_types = 'gnome kde xfce lxde wmaker enlightenment mwm twm failsafe'; 
+##########################################################################
 # Set this to 1 to enable user setting a unique tag for each one
 # of his desktops and so can have multiple ones simultaneously and
 # select which one he wants.  For now we just hack this onto geometry
@@ -148,37 +368,125 @@ my $session_types = '';
 my $enable_unique_tags = 0;
 my $unique_tag = '';
-# You can set some extra x11vnc cmdline options here:
+##########################################################################
+# String of HTML for the login form:
 #
-my $x11vnc_extra_opts = '';
+# Feel free to customize to your taste, _USERNAME_ and _GEOMETRY_ are
+# expanded to that of the request.
+#
+my $login_str = <<"END";
+<title>x11vnc web access</title>
+<h3>x11vnc web access</h3>
+<form action="$ENV{REQUEST_URI}" method="post">
+ <table border="0">
+  <tr><td colspan=2><h2>Login</h2></td></tr>
+  <tr><td>Username:</td><td>
+  <input type="text" name="username" maxlength="40" value="_USERNAME_">
+  </td></tr>
+  <tr><td>Password:</td><td>
+  <input type="password" name="password" maxlength="50">
+  </td></tr>
+  <tr><td>Geometry:</td><td>
+  <input type="text" name="geometry" maxlength="40" value="_GEOMETRY_">
+  </td></tr>
+  <!-- session -->
+  <tr><td colspan="2" align="right">
+  <input type="submit" name="submit" value="Login">
+  </td></tr>
+ </table>
+</form>
+END
-# Path to x11vnc program:
+##########################################################################
+# String of HTML returned to web browser to launch applet:
 #
-my $x11vnc = '/usr/bin/x11vnc';
+# Feel free to customize to your taste, _UID_, _VNC_PORT_, _WIDTH_,
+# _HEIGHT_, _PASS_, _TRUST_UVC_, _APPLET_JAR_, and _APPLET_CLASS_ are
+# expanded to the appropriate values before sending out to the browser.
+#
+my $applet_html = <<"END";
+<html>
+<TITLE>
+x11vnc desktop (_UID_/_VNC_PORT_)
+</TITLE>
+<APPLET CODE=_APPLET_CLASS_ ARCHIVE=_APPLET_JAR_ WIDTH=_WIDTH_ HEIGHT=_HEIGHT_>
+<param name=PORT value=_VNC_PORT_>
+<param name=VNCSERVERPORT value=_VNC_PORT_>
+<param name=PASSWORD value=_PASS_>
+<param name=trustUrlVncCert value=_TRUST_UVC_>
+<param name="Open New Window" value=yes>
+<param name="Offer Relogin" value=no>
+<param name="ignoreMSLogonCheck" value=yes>
+<param name="delayAuthPanel" value=yes>
+<!-- extra -->
+</APPLET>
+<br>
+<a href="$ENV{REQUEST_URI}">Login page</a><br>
+<a href=http://www.karlrunge.com/x11vnc>x11vnc website</a>
+</html>
+END
-if (`uname -n` =~ /haystack/) {
-	# for my testing:
+##########################################################################
-	if (-f "/home/runge/dtcgi.test") {
+# These java applet strings are expanded into the above $applet_html.
-		eval `cat /home/runge/dtcgi.test`;
+# Note that $applet_jar is relative to your apache DocumentRoot (htdocs)
-	}
+# not the filesystem root. 
+#
+my $applet_jar = '/UltraViewerSSL.jar';
+my $applet_class = 'VncViewer.class';
+# These make the applet panel smaller because we use 'Open New Window'
+# anyway (set to 'W' or 'H' to use actual session geometry values):
+#
+my $applet_width  = '400';
+my $applet_height = '300';
+# To customize ALL of the HTML printed out you may need to redefine
+# the bye() subtroutine in your desktop.cgi.conf file. 
+##########################################################################
+# Override any of the above settings by setting them in a file named
+# 'desktop.cgi.conf'.  It is sourced here.
+#
+# You can override any variable set above by supplying perl code
+# in $0.conf that sets it to the desired value.
+#
+# Some examples you could put in $0.conf:
+#
+#   $x11vnc = '/usr/local/bin/x11vnc';
+#   $x11vnc_extra_opts = '-env FD_PROG=/usr/bin/xclock';
+#   $x11vnc_extra_opts = '-ssl /usr/local/etc/dtcgi.pem';
+#   $find_free_port = 'fixed:5999';
+#   $enable_port_redirection = 1;
+#   $allowed_users_file = '/usr/local/etc/dtcgi.allowed';
+#
+if (-f "$0.conf") {
+	eval `cat "$0.conf"`;
 }
-# http header:
+##########################################################################
+# END OF MAIN USER SETTINGS.
+# Only power users should change anything below.
+##########################################################################
+# Print http header reply:
 #
 print STDOUT "Content-Type: text/html\r\n\r\n";
 # Require HTTPS so that unix and vnc passwords are not sent in clear text
-# (perhaps it is too late...)  Disable HTTPS at your own risk.
+# (perhaps it is too late...)  Disable HTTPS here at your own risk.
 #
 if ($ENV{HTTPS} !~ /^on$/i) {
 	bye("HTTPS must be used (to encrypt passwords)");
 }
-# Read request:
+# Read URL request:
 #
 my $request;
 if ($ENV{'REQUEST_METHOD'} eq "POST") {
@@ -192,7 +500,8 @@ if ($ENV{'REQUEST_METHOD'} eq "POST") {
 my %request = url_decode(split(/[&=]/, $request));
-# Experiment for FD_TAG x11vnc feature for multiple desktops:
+# Experiment for FD_TAG x11vnc feature for multiple desktops for a
+# single user:
 #
 # we hide it in geometry:tag for now:
 #
@@ -212,30 +521,28 @@ if (!exists $request{session} || $request{session} =~ /^\s*$/) {
 }
-# String for the login form:
+# Expand _USERNAME_ and _GEOMETRY_ in the login string HTML:
 #
-my $login_str = <<"END";
+$login_str =~ s/_USERNAME_/$request{username}/g;
-<title>x11vnc web access</title>
+$login_str =~ s/_GEOMETRY_/$request{geometry}/g;
-<h3>x11vnc web access</h3>
-<form action="$ENV{REQUEST_URI}" method="post">
- <table border="0">
+# Check x11vnc version for installers of this script who do not know
-  <tr><td colspan=2><h2>Login</h2></td></tr>
+# how to read and follow instructions:
-  <tr><td>Username:</td><td>
+#
-  <input type="text" name="username" maxlength="40" value="$request{username}">
+my $version = (split(' ', `$x11vnc -version`))[1];
-  </td></tr>
+$version =~ s/\D*$//;
-  <tr><td>Password:</td><td>
-  <input type="password" name="password" maxlength="50">
+my ($major, $minor, $micro) = split(/\./, $version);
-  </td></tr>
+if ($major !~ /^\d+$/ || $minor !~ /^\d+$/) {
-  <tr><td>Geometry:</td><td>
+	bye("The x11vnc program is not installed correctly.");
-  <input type="text" name="geometry" maxlength="40" value="$request{geometry}">
+}
-  </td></tr>
+$micro = 0 unless $micro;
-  <!-- session -->
+my $level  = $major * 100 * 100 + $minor * 100 + $micro;
-  <tr><td colspan="2" align="right">
+my $needed =      0 * 100 * 100 +      9 * 100 +     10;
-  <input type="submit" name="submit" value="Login">
+if ($level < $needed) {
-  </td></tr>
+	bye("x11vnc version 0.9.10 or later is required. (Found version $version)");
- </table>
+}
-</form>
-END
 # Set up user selected desktop session list, if enabled:
@@ -301,6 +608,49 @@ if ($enable_port_redirection) {
 	}
 }
+# If there is an $allowed_users_file, check username against it:
+#
+if ($allowed_users_file ne '') {
+	if (! open(USERS, "<$allowed_users_file")) {
+		bye("Internal Error #0");
+	}
+	my $ok = 0;
+	while (<USERS>) {
+		chomp;
+		$_ =~ s/^\s*//;
+		$_ =~ s/\s*$//;
+		next if /^#/;
+		if ($username eq $_) {
+			$ok = 1;
+		}
+	}
+	close USERS;
+	if (! $ok) {
+		bye("Denied Username.<p>$login_str");
+	}
+}
+# If there is a $denied_users_file, check username against it:
+#
+if ($denied_users_file ne '') {
+	if (! open(USERS, "<$denied_users_file")) {
+		bye("Internal Error #0");
+	}
+	my $ok = 1;
+	while (<USERS>) {
+		chomp;
+		$_ =~ s/^\s*//;
+		$_ =~ s/\s*$//;
+		next if /^#/;
+		if ($username eq $_) {
+			$ok = 0;
+		}
+	}
+	close USERS;
+	if (! $ok) {
+		bye("Denied Username.<p>$login_str");
+	}
+}
 # Require username to be alphanumeric + '-' + '_':
 # (one may want to add '.' as well)
@@ -321,6 +671,7 @@ if ($? != 0 || $uid !~ /^\d+$/) {
 # Use x11vnc trick to check if the unix password is valid:
+# (requires x11vnc 0.9.10 or later.)
 #
 if (!open(X11VNC, "| $x11vnc -unixpw \%stdin > /dev/null")) {
 	bye("Internal Error #1");
@@ -346,7 +697,7 @@ my $fixed_port = 0;
 if (! $find_free_port) {
 	# Fixed port based on userid (we assume it is free):
 	#
-	$vnc_port = 7000 + $uid;
+	$vnc_port = $starting_port + $uid;
 } elsif ($find_free_port =~ /^fixed:(\d+)$/) {
 	#
@@ -391,7 +742,7 @@ for (my $i = 0; $i < 8; $i++) {
 # Use x11vnc trick to switch to user and store vnc pass in the passwdfile.
 # Result is $pass is placed in user's $HOME/x11vnc.pw
 #
-# (This is actually difficult to do without untrusted local users being
+# (This is actually difficult to do without untrusted LOCAL users being
 # able to see the pass as well, see copy_password_to_user() for details
 # on how we try to avoid this.)
 #
@@ -430,6 +781,7 @@ if (!open(TMP, ">$tmpfile")) {
 # and -sslonly disables VeNCrypt SSL connections.
 # Some settings:
+# (change these if you encounter timing problems, etc.)
 #
 my $timeout = 75;
 my $extra = '';
@@ -438,6 +790,8 @@ if ($fixed_port) {
 	$timeout = 45;
 	$extra .= " -loopbg100,1";
 }
+$timeout = $x11vnc_timeout if $x11vnc_timeout ne '';
 if ($session_types ne '') {
 	# settings for session selection case:
 	if (exists $sessions{$session}) {
@@ -474,7 +828,7 @@ if ($? == 0) {
 	unlink $md5;
 }
-# write x11vnc command to the tmp file:
+# Write x11vnc command to the tmp file:
 #
 print TMP <<"END";
 #!/bin/sh
@@ -497,6 +851,7 @@ close TMP;
 $ENV{UNIXPW_CMD} = "/bin/sh $tmpfile";
 # For the fixed port scheme we try to cooperate via lock file:
+# (disabled by default.)
 #
 my $rmlock = '';
 #
@@ -593,8 +948,8 @@ sub initialize_random {
 # the end.
 #
 sub auto_select_port {
-	my $pmin = 7000;	# default range.
+	my $pmin = $starting_port;	# default range 7000-8000.
-	my $pmax = 8000;
+	my $pmax = $starting_port + 1000;
 	if ($find_free_port =~ /^(\d+)-(\d+)$/) {
 		# user supplied a range:
@@ -647,7 +1002,7 @@ sub auto_select_port {
 # the user command is run in its own tty.
 #
 # The best way would be a sudo action or a special setuid program for
-# copying.  So consider using that and thereby simplify this function.
+# copying.  So consider doing that and thereby simplify this function.
 #
 # Short of a special program doing this, we use a fifo so ONLY ONE
 # process can read the password.  If the untrusted local user reads it,
@@ -685,6 +1040,12 @@ sub copy_password_to_user {
 		bye("Internal Error #7");
 	}
+	# disable fifo safety if requested:
+	#
+	if ($disable_vnc_passwd_fifo_safety) {
+		$use_fifo = '';
+	}
 	# Make the fifo:
 	#
 	if ($use_fifo) {
@@ -756,7 +1117,6 @@ sub copy_password_to_user {
 	}
 	close X11VNC;	# note we ignore return value.
 	fsleep(0.5);
-	#print STDERR `ls -l $fifo ~$username/x11vnc.pw`;
 	unlink $fifo;
 	# Done!
@@ -854,33 +1214,32 @@ sub lock_fixed_port {
 #
 sub print_applet_html {
 	my ($W, $H, $D) = split(/x/, $geometry);
-	$W = 640;	# make it smaller since we 'Open New Window' below anyway.
-	$H = 480;
+	# make it smaller since we 'Open New Window' below anyway.
+	if ($applet_width ne 'W') {
+		$W = $applet_width;
+	}
+	if ($applet_height ne 'H') {
+		$H = $applet_height;
+	}
 	my $tUVC = ($trustUrlVncCert ? 'yes' : 'no');
-	my $str = <<"END";
-<html>
+	# see $applet_html set in defaults section for more info:
-<TITLE>
+	#
-x11vnc desktop ($uid/$vnc_port)
+	my $str = $applet_html;
-</TITLE>
-<APPLET CODE=VncViewer.class ARCHIVE=/UltraViewerSSL.jar WIDTH=$W HEIGHT=$H>
+	$str =~ s/_UID_/$uid/g;
-<param name=PORT value=$vnc_port>
+	$str =~ s/_VNC_PORT_/$vnc_port/g;
-<param name=VNCSERVERPORT value=$vnc_port>
+	$str =~ s/_WIDTH_/$W/g;
-<param name=PASSWORD value=$pass>
+	$str =~ s/_HEIGHT_/$H/g;
-<param name=trustUrlVncCert value=$tUVC>
+	$str =~ s/_PASS_/$pass/g;
-<param name="Open New Window" value=yes>
+	$str =~ s/_APPLET_JAR_/$applet_jar/g;
-<param name="Offer Relogin" value=no>
+	$str =~ s/_APPLET_CLASS_/$applet_class/g;
-<param name="ignoreMSLogonCheck" value=yes>
+	$str =~ s/_TRUST_UVC_/$tUVC/g;
-<param name="delayAuthPanel" value=yes>
-<!-- extra -->
-</APPLET>
-<br>
-<a href="$ENV{REQUEST_URI}">Login page</a><br>
-<a href=http://www.karlrunge.com/x11vnc>x11vnc website</a>
-</html>
-END
 	if ($enable_port_redirection && $redirect_host ne '') {
-		$str =~ s/name=PASSWORD value=.*>/name=NOT_USED value=yes>/;
+		$str =~ s/name=PASSWORD value=.*>/name=NOT_USED value=yes>/i;
 		#$str =~ s/<!-- extra -->/<!-- extra -->\n<param name="ignoreProxy" value=yes>/;
 	}
@@ -1025,6 +1384,9 @@ sub check_redirect_host {
 # Much of this code is borrowed from 'connect_switch':
 #
+# (it only applies to the vnc redirector $enable_port_redirection mode
+# which is off by default.)
+#
 sub handle_conn {
 	close STDIN;
 	close STDOUT;

--- a/x11vnc/misc/enhanced_tightvnc_viewer/README
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/README
@@ -16,8 +16,8 @@ See these sites and related ones for more information:
        http://www.tightvnc.com
        http://www.realvnc.com
-        http://www.stunnel.org
        http://stunnel.mirt.net
+        http://www.stunnel.org
        http://www.openssl.org
        http://www.chiark.greenend.org.uk/~sgtatham/putty/
 	http://sourceforge.net/projects/cotvnc/
@@ -255,7 +255,7 @@ Unix and Mac OS X:
    Unpack the archive:
-        % gzip -dc ssvnc-1.0.25.tar.gz | tar xvf -
+        % gzip -dc ssvnc-1.0.27.tar.gz | tar xvf -
    Run the GUI:
@@ -263,7 +263,7 @@ Unix and Mac OS X:
        % ./ssvnc/MacOSX/ssvnc             (for Mac OS X)
-    The smaller file "ssvnc_no_windows-1.0.25.tar.gz"
+    The smaller file "ssvnc_no_windows-1.0.27.tar.gz"
    could have been used as well.
    On MacOSX you could also click on the SSVNC app icon in the Finder.
@@ -309,8 +309,8 @@ Unix/MacOSX Install:
    For the conventional source tarball it will compile and install, e.g.:
-       gzip -dc ssvnc-1.0.25.src.tar.gz | tar xvf -
+       gzip -dc ssvnc-1.0.27.src.tar.gz | tar xvf -
-       cd ssvnc-1.0.25
+       cd ssvnc-1.0.27
       make config
       make all
       make PREFIX=/my/install/dir install
@@ -322,7 +322,7 @@ Windows:
    Unzip, using WinZip or a similar utility, the zip file:
-        ssvnc-1.0.25.zip
+        ssvnc-1.0.27.zip
    Run the GUI, e.g.:
@@ -334,7 +334,7 @@ Windows:
    select Open, and then OK to launch it.
-    The smaller file "ssvnc_windows_only-1.0.25.zip"
+    The smaller file "ssvnc_windows_only-1.0.27.zip"
    could have been used as well.
    You can make a Windows shortcut to this program if you want to.
@@ -664,7 +664,7 @@ Untrusted Local Users:
    By 'do not trust' we mean they might try to gain access to remote
    machines you connect to via SSVNC.  Note that an untrusted local
    user can often obtain root access in a short amount of time; if a
-    user has acheived that, then all bets are off for ANYTHING that you
+    user has achieved that, then all bets are off for ANYTHING that you
    do on the workstation.  It is best to get rid of Untrusted Local
    Users as soon as possible.
@@ -680,7 +680,7 @@ Untrusted Local Users:
    If the untrusted local user tries to connect to these ports, he may
    succeed in varying degrees to gain access to the remote machine.
    We now list some safeguards one can put in place to try to make this
-    more difficult to acheive.
+    more difficult to achieve.
    It probably pays to have the VNC server require a password, even
    though there has already been SSL or SSH authentication (via
@@ -747,8 +747,8 @@ See also:
 	http://www.karlrunge.com/x11vnc/faq.html
 	x11vnc -h | more
-	http://www.stunnel.org
 	http://stunnel.mirt.net
+	http://www.stunnel.org
 	http://www.openssl.org
 	http://www.tightvnc.com
        http://www.realvnc.com

--- a/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/Windows/util/connect_br.tcl
@@ -123,6 +123,12 @@ proc bmesg {msg} {
 	label $w.l -width 70 -text "$msg"
 	pack $w.l
 	update
+	if {$env(BMESG) > 1} {
+		for {set i 0} {$i < $env(BMESG)} {incr i} {
+			after 1000
+			update
+		}
+	}
 }
 proc do_connect_http {sock hostport which} {
@@ -165,9 +171,15 @@ proc do_connect_http {sock hostport which} {
 proc do_connect_socks4 {sock hostport which} {
 	global debug cur_proxy
-	set s [split $hostport ":"]
+	set host ""
-	set host [lindex $s 0]
+	set port ""
-	set port [lindex $s 1]
+	if [regexp {^(.*):([0-9][0-9]*)$} $hostport mvar host port] {
+		;
+	} else {
+		puts stderr "could not parse host:port $hostport"
+		destroy .
+		exit 1
+	}
 	set i1 ""
 	set i2 ""
@@ -249,9 +261,15 @@ proc do_connect_socks4 {sock hostport which} {
 proc do_connect_socks5 {sock hostport which} {
 	global debug cur_proxy
-	set s [split $hostport ":"]
+	set host ""
-	set host [lindex $s 0]
+	set port ""
-	set port [lindex $s 1]
+	if [regexp {^(.*):([0-9][0-9]*)$} $hostport mvar host port] {
+		;
+	} else {
+		puts stderr "could not parse host:port $hostport"
+		destroy .
+		exit 1
+	}
 	set p1 [binary format ccc 5 1 0]
 	puts -nonewline $sock $p1
@@ -1058,7 +1076,7 @@ proc proxy_type {proxy} {
 }
 proc proxy_hostport {proxy} {
-	regsub -nocase {^[a-z][a-z]*://} $proxy "" hp
+	regsub -nocase {^[a-z][a-z0-9]*://} $proxy "" hp
 	regsub {\+.*$} $hp "" hp
 	if {! [regexp {:[0-9]} $hp] && [regexp {^repeater:} $proxy]} {
 		set hp "$hp:5900"
@@ -1140,9 +1158,15 @@ if {$do_bridge} {
 	set proxy1_type [proxy_type     $proxy1]
 	set proxy1_hp   [proxy_hostport $proxy1]
-	set s [split $proxy1_hp ":"]
+	set proxy1_host ""
-	set proxy1_host [lindex $s 0]
+	set proxy1_port ""
-	set proxy1_port [lindex $s 1]
+	if [regexp {^(.*):([0-9][0-9]*)$} $proxy1_hp mvar proxy1_host proxy1_port] {
+		;
+	} else {
+		puts stderr "could not parse hp1 host:port $proxy1_hp"
+		destroy .
+		exit 1
+	}
 	set proxy2_type ""
 	set proxy2_host ""
@@ -1151,9 +1175,16 @@ if {$do_bridge} {
 	if {$proxy2 != ""} {
 		set proxy2_type [proxy_type     $proxy2]
 		set proxy2_hp   [proxy_hostport $proxy2]
-		set s [split $proxy2_hp ":"]
-		set proxy2_host [lindex $s 0]
+		set proxy2_host ""
-		set proxy2_port [lindex $s 1]
+		set proxy2_port ""
+		if [regexp {^(.*):([0-9][0-9]*)$} $proxy2_hp mvar proxy2_host proxy2_port] {
+			;
+		} else {
+			puts stderr "could not parse hp2 host:port $proxy2_hp"
+			destroy .
+			exit 1
+		}
 	}
 	set proxy3_type ""
@@ -1163,9 +1194,16 @@ if {$do_bridge} {
 	if {$proxy3 != ""} {
 		set proxy3_type [proxy_type     $proxy3]
 		set proxy3_hp   [proxy_hostport $proxy3]
-		set s [split $proxy3_hp ":"]
-		set proxy3_host [lindex $s 0]
+		set proxy3_host ""
-		set proxy3_port [lindex $s 1]
+		set proxy3_port ""
+		if [regexp {^(.*):([0-9][0-9]*)$} $proxy3_hp mvar proxy3_host proxy3_port] {
+			;
+		} else {
+			puts stderr "could not parse hp3 host:port $proxy3_hp"
+			destroy .
+			exit 1
+		}
 	}
 	bmesg "1: '$proxy1_host' '$proxy1_port' '$proxy1_type'";
@@ -1173,9 +1211,15 @@ if {$do_bridge} {
 	bmesg "3: '$proxy3_host' '$proxy3_port' '$proxy3_type'";
 	if [info exists env(SSVNC_REVERSE)] {
-		set s [split $env(SSVNC_REVERSE) ":"]
+		set rhost ""
-		set rhost [lindex $s 0]
+		set rport ""
-		set rport [lindex $s 1]
+		if [regexp {^(.*):([0-9][0-9]*)$} $env(SSVNC_REVERSE) mvar rhost rport] {
+			;
+		} else {
+			puts stderr "could not parse SSVNC_REVERSE host:port $env(SSVNC_REVERSE)"
+			destroy .
+			exit 1
+		}
 		set rc [catch {set lsock [socket $rhost $rport]}]
 		if {$rc != 0} {
 			puts stderr "error reversing"	

--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ss_vncviewer
@@ -382,7 +382,9 @@ if [ "X$reverse" != "X" ]; then
 			echo "*Warning*: -listen and a single proxy/gateway does not make sense."
 			sleep 2
 		fi
-		SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
+		# we now try to PPROXY_LOOP_THYSELF, set this var to disable that.
+		#SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
 	fi
 fi
 if [ "X$ssh_cmd" = "X" ]; then
@@ -520,12 +522,6 @@ if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
 	fi
 fi
-# (possibly) tell the vncviewer to only listen on lo: 
-if [ "X$reverse" != "X" -a "X$direct_connect" = "X" ]; then
-	VNCVIEWER_LISTEN_LOCALHOST=1
-	export VNCVIEWER_LISTEN_LOCALHOST
-fi
 # rsh mode is an internal/secret thing only I use.
 rsh=""
 if echo "$orig" | grep '^rsh://' > /dev/null; then
@@ -551,11 +547,98 @@ else
 fi
 # extract host and disp number:
-host=`echo "$orig" | awk -F: '{print $1}'`
-disp=`echo "$orig" | awk -F: '{print $2}'`
+# try to see if it is ipv6 address:
+ipv6=0
+if echo "$orig" | grep '\[' > /dev/null; then
+	# ipv6 [fe80::219:dbff:fee5:3f92%eth1]:5900
+	host=`echo "$orig" | sed -e 's/\].*$//' -e 's/\[//'`
+	disp=`echo "$orig" | sed -e 's/^.*\]://'`
+	ipv6=1
+elif echo "$orig" | grep ':..*:' > /dev/null; then
+	# ipv6 fe80::219:dbff:fee5:3f92%eth1:5900
+	host=`echo "$orig" | sed -e 's/:[^:]*$//'`
+	disp=`echo "$orig" | sed -e 's/^.*://'`
+	ipv6=1
+else
+	# regular host:port
+	host=`echo "$orig" | awk -F: '{print $1}'`
+	disp=`echo "$orig" | awk -F: '{print $2}'`
+fi
+if [ "X$reverse" != "X" -a "X$STUNNEL_LISTEN" = "X" -a "X$host" != "X" ]; then
+	STUNNEL_LISTEN=$host
+	echo "set STUNNEL_LISTEN=$STUNNEL_LISTEN"
+fi
 if [ "X$host" = "X" ]; then
 	host=$localhost
 fi
+if [ "X$SSVNC_IPV6" = "X0" ]; then
+	# disable checking for it.
+	ipv6=0
+#elif [ "X$reverse" != "X" -a "X$ipv6" = "X1" ]; then
+#	ipv6=0
+elif [ "X$ipv6" = "X1" ]; then
+	:
+elif echo "$host" | grep '^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' > /dev/null; then
+	:
+else
+	# regular hostname, can't be sure...
+	host "$host" >/dev/null 2>&1
+	host "$host" >/dev/null 2>&1
+	hout=`host "$host" 2>/dev/null`
+	if echo "$hout" | grep -i 'has ipv6 address' > /dev/null; then
+		if echo "$hout" | grep -i 'has address' > /dev/null; then
+			:
+		else
+			echo "ipv6: "`echo "$hout" | grep -i 'has ipv6 address' | head -n 1`
+			ipv6=1
+		fi
+	fi
+	if [ "X$ipv6" = "X0" ]; then
+		dout=`dig -t any "$host" 2>/dev/null`
+		if echo "$dout" | grep -i "^$host" | grep '[ 	]AAAA[ 	]' > /dev/null; then
+			if echo "$dout" | grep -i "^$host" | grep '[ 	]A[ 	]' > /dev/null; then
+				:
+			else
+				echo "ipv6: "`echo "$dout" | grep -i '[ 	]AAAA[ 	]' | head -n 1`
+				ipv6=1
+			fi
+		fi
+	fi
+	if [ "X$ipv6" = "X0" ]; then
+		sout=`env LOOKUP="$host" \
+		      perl -e '	eval {use Socket};  exit 0 if $@;
+				eval {use Socket6}; exit 0 if $@;
+				@res = getaddrinfo($ENV{LOOKUP}, "daytime", AF_UNSPEC, SOCK_STREAM);
+				$ipv4 = 0;
+				$ipv6 = 0;
+				$ip6 = "";
+				while (scalar(@res) >= 5) {
+					($family, $socktype, $proto, $saddr, $canon, @res) = @res;
+					$ipv4 = 1 if $family == AF_INET;
+					$ipv6 = 1 if $family == AF_INET6;
+					if ($family == AF_INET6 && $ip6 eq "") {
+						my ($host, $port) = getnameinfo($saddr, NI_NUMERICHOST | NI_NUMERICSERV);
+						$ip6 = $host;
+					}
+				}
+				if (! $ipv4 && $ipv6) {
+					print "AF_INET6_ONLY: $ENV{LOOKUP}: $ip6\n";
+				}
+				exit 0;
+			' 2>/dev/null`
+		if echo "$sout" | grep AF_INET6_ONLY > /dev/null; then
+			echo "$sout"
+			ipv6=1
+		fi
+	fi
+fi
+if [ "X$ipv6" = "X1" ]; then
+	echo "ipv6: addr=$host disp=$disp"
+fi
 if [ "X$disp" = "X" ]; then
 	port=""	# probably -listen mode.
 elif [ $disp -lt 0 ]; then
@@ -573,6 +656,21 @@ else
 	port=$disp
 fi
+if [ "X$ipv6" = "X1" -a "X$direct_connect" = "X1" ]; then
+	if [ "X$proxy" = "X" -a "X$reverse" = "X" ]; then
+		proxy="ipv6://$host:$port"
+		echo "direct connect: set proxy=$proxy"
+	fi
+fi
+# (possibly) tell the vncviewer to only listen on lo: 
+if [ "X$reverse" != "X" ]; then
+	if [ "X$direct_connect" = "X" -o "X$proxy" != "X" -o "X$STUNNEL_LISTEN" != "X" ]; then
+		VNCVIEWER_LISTEN_LOCALHOST=1
+		export VNCVIEWER_LISTEN_LOCALHOST
+	fi
+fi
 # try to find an open listening port via netstat(1):
 inuse=""
 if uname | grep Linux > /dev/null; then
@@ -787,6 +885,60 @@ pcode() {
 use IO::Socket::INET;
+my $have_inet6 = "";
+eval "use IO::Socket::INET6;";
+$have_inet6 = 1 if $@ eq "";
+#my $have_sock6 = "";
+#eval "use Socket; use Socket6;";
+#$have_sock6 = 1 if $@ eq "";
+if (exists $ENV{PPROXY_LOOP_THYSELF}) {
+	# used for reverse vnc, run a repeating outer loop.
+	print STDERR "PPROXY_LOOP: $ENV{PPROXY_LOOP_THYSELF}\n";
+	my $rm = $ENV{PPROXY_REMOVE};
+	my $lp = $ENV{PPROXY_LOOP_THYSELF};
+	delete $ENV{PPROXY_REMOVE};
+	delete $ENV{PPROXY_LOOP_THYSELF};
+	$ENV{PPROXY_LOOP_THYSELF_MASTER} = $$;
+	my $pid = $$;
+	my $dbg = 0;
+	my $c = 0;
+	use POSIX ":sys_wait_h";
+	while (1) {
+		$pid = fork();
+		last if ! defined $pid;
+		if ($pid eq "0") {
+			last;
+		}
+		$c++;
+		print STDERR "\nPPROXY_LOOP: pid=$$ child=$pid count=$c\n";
+		while (1) {
+			waitpid(-1, WNOHANG);
+			fsleep(0.25);
+			if (! kill 0, $pid) {
+				print STDERR "PPROXY_LOOP: child=$pid gone.\n";
+				last;
+			}
+			print STDERR "PPROXY_LOOP: child=$pid alive.\n" if $dbg;
+			if (! -f $lp) {
+				print STDERR "PPROXY_LOOP: flag file $lp gone, killing $pid\n";
+				kill TERM, $pid;
+				fsleep(0.1);
+				wait;
+				last;
+			}
+			print STDERR "PPROXY_LOOP: file exists $lp\n" if $dbg;
+		}
+		last if ! -f $lp;
+		fsleep(0.25);
+	}
+	if ($pid ne "0") {
+		unlink($0) if $rm;
+		exit 0;
+	}
+}
 if (exists $ENV{PPROXY_SLEEP} && $ENV{PPROXY_SLEEP} > 0) {
 	print STDERR "PPROXY_PID: $$\n";
 	sleep $ENV{PPROXY_SLEEP};
@@ -835,7 +987,7 @@ if (exists $ENV{SSVNC_PREDIGESTED_HANDSHAKE})  {
 }
 my $have_gettimeofday = 0;
-eval "use Time::HiRes";
+eval "use Time::HiRes;";
 if ($@ eq "") {
 	$have_gettimeofday = 1;
 }
@@ -862,7 +1014,11 @@ my ($mode_1st, $mode_2nd, $mode_3rd) = ("", "", "");
 ($first, $mode_1st) = url_parse($first);
-my ($proxy_host, $proxy_port) = split(/:/, $first);
+my ($proxy_host, $proxy_port) = ($first, "");
+if ($proxy_host =~ /^(.*):(\d+)$/) {
+	$proxy_host = $1;
+	$proxy_port = $2;
+}
 my $connect = $ENV{PPROXY_DEST};
 if ($second ne "") {
@@ -875,13 +1031,15 @@ if ($third ne "") {
 print STDERR "\n";
-print STDERR "PPROXY v0.3: a tool for Web, SOCKS, and UltraVNC proxies and VeNCrypt bridging.\n";
+print STDERR "PPROXY v0.4: a tool for Web, SOCKS, and UltraVNC proxies and for\n";
+print STDERR "PPROXY v0.4: IPv6 and VNC VeNCrypt bridging.\n";
 print STDERR "proxy_host:       $proxy_host\n";
 print STDERR "proxy_port:       $proxy_port\n";
 print STDERR "proxy_connect:    $connect\n";
 print STDERR "pproxy_params:    $ENV{PPROXY_PROXY}\n";
 print STDERR "pproxy_listen:    $ENV{PPROXY_LISTEN}\n";
 print STDERR "pproxy_reverse:   $ENV{PPROXY_REVERSE}\n";
+print STDERR "io_socket_inet6:  $have_inet6\n";
 print STDERR "\n";
 if (1) {
 	print STDERR "pproxy 1st: $first\t- $mode_1st\n";
@@ -897,15 +1055,29 @@ sub pdie {
 }
 if ($ENV{PPROXY_REVERSE} ne "") {
-	my ($rhost, $rport) = split(/:/, $ENV{PPROXY_REVERSE});
+	my ($rhost, $rport) = ($ENV{PPROXY_REVERSE}, "");
+	if ($rhost =~ /^(.*):(\d+)$/) {
+		$rhost = $1;
+		$rport = $2;
+	}
 	$rport = 5900 unless $rport;
+	my $emsg = "";
 	$listen_handle = IO::Socket::INET->new(
 		PeerAddr => $rhost,
 		PeerPort => $rport,
 		Proto => "tcp"
 	);
+	$emsg = $!;
+	if (! $listen_handle && $have_inet6) {
+		eval {$listen_handle = IO::Socket::INET6->new(
+			PeerAddr => $rhost,
+			PeerPort => $rport,
+			Proto => "tcp"
+		);};
+		$emsg .= " / $!";
+	}
 	if (! $listen_handle) {
-		pdie "pproxy: $! -- PPROXY_REVERSE\n";
+		pdie "pproxy: $emsg -- PPROXY_REVERSE\n";
 	}
 	print STDERR "PPROXY_REVERSE: connected to $rhost $rport\n";
@@ -914,27 +1086,75 @@ if ($ENV{PPROXY_REVERSE} ne "") {
 	my $maxtry = 12;
 	my $sleep = 5;
 	my $p2 = "";
+	my $emsg = "";
 	for (my $i=0; $i < $maxtry; $i++)  {
-		if ($ENV{PPROXY_LISTEN} =~ /^INADDR_ANY:(.*)/) {
+		my ($if, $p) = ("", $ENV{PPROXY_LISTEN});
-			my $p = $1;
+		if ($p =~ /^(.*):(\d+)$/) {
+			$if = $1;
+			$p = $2;
+		}
 		$p2 = "*:$p";
+		if ($if eq "") {
+			$if = "localhost";
+		}
+		print STDERR "pproxy interface: $if\n";
+		$emsg = "";
+		if (($if eq "INADDR_ANY6" || $if eq "::") && $have_inet6) {
+			eval {$listen_sock = IO::Socket::INET6->new(
+				Listen    => 2,
+				ReuseAddr => 1,
+				Domain    => AF_INET6,
+				LocalAddr => "::",
+				LocalPort => $p,
+				Proto     => "tcp"
+			);};
+			$p2 = ":::$p";
+		} elsif ($if =~ /^INADDR_ANY/) {
 			$listen_sock = IO::Socket::INET->new(
 				Listen    => 2,
+				ReuseAddr => 1,
 				LocalPort => $p,
 				Proto     => "tcp"
 			);
+		} elsif (($if eq "INADDR_LOOPBACK6" || $if eq "::1") && $have_inet6) {
+			$p2 = "::1:$p";
+			eval {$listen_sock = IO::Socket::INET6->new(
+				Listen    => 2,
+				ReuseAddr => 1,
+				Domain    => AF_INET6,
+				LocalAddr => "::1",
+				LocalPort => $p,
+				Proto     => "tcp"
+			);};
+			$p2 = "::1:$p";
 		} else {
-			$p2 = "localhost:$ENV{PPROXY_LISTEN}";
+			$p2 = "$if:$p";
 			$listen_sock = IO::Socket::INET->new(
 				Listen    => 2,
-				LocalAddr => "127.0.0.1",
+				ReuseAddr => 1,
-				LocalPort => $ENV{PPROXY_LISTEN},
+				LocalAddr => $if,
+				LocalPort => $p,
 				Proto     => "tcp"
 			);
+			$emsg = $!;
+			if (! $listen_sock && $have_inet6) {
+				print STDERR "PPROXY_LISTEN: retry with INET6\n";
+				eval {$listen_sock = IO::Socket::INET6->new(
+					Listen    => 2,
+					ReuseAddr => 1,
+					Domain    => AF_INET6,
+					LocalAddr => $if,
+					LocalPort => $p,
+					Proto     => "tcp"
+				);};
+				$emsg .= " / $!";
+			}
 		}
 		if (! $listen_sock) {
 			if ($i < $maxtry - 1) {
-				warn "pproxy: $!\n";
+				warn "pproxy: $emsg $!\n";
 				warn "Could not listen on port $p2, retrying in $sleep seconds... (Ctrl-C to quit)\n";
 				sleep $sleep;
 			}
@@ -943,7 +1163,7 @@ if ($ENV{PPROXY_REVERSE} ne "") {
 		}
 	}
 	if (! $listen_sock) {
-		pdie "pproxy: $! -- PPROXY_LISTEN\n";
+		pdie "pproxy: $emsg -- PPROXY_LISTEN\n";
 	}
 	print STDERR "pproxy: listening on $p2\n";
 	my $ip;
@@ -953,6 +1173,24 @@ if ($ENV{PPROXY_REVERSE} ne "") {
 	if (! $listen_handle) {
 		pdie "pproxy: $err\n";
 	}
+	if ($ENV{PPROXY_LOOP_THYSELF_MASTER}) {
+		my $sml = $ENV{SSVNC_MULTIPLE_LISTEN}; 
+		if ($sml ne "" && $sml ne "0") {
+			setpgrp(0, 0);
+			if (fork()) {
+				close $viewer_sock;
+				wait;
+				exit 0;
+			}
+			if (fork()) {
+				close $viewer_sock;
+				exit 0;
+			}
+			setpgrp(0, 0);
+			$parent = $$;
+		}
+	}
 }
 $sock = IO::Socket::INET->new(
@@ -961,15 +1199,27 @@ $sock = IO::Socket::INET->new(
 	Proto => "tcp"
 );
+my $err = "";
+if (! $sock && $have_inet6) {
+	$err = $!;
+	eval {$sock = IO::Socket::INET6->new(
+		PeerAddr => $proxy_host,
+		PeerPort => $proxy_port,
+		Proto => "tcp"
+	);};
+	$err .= " / $!";
+}
 if (! $sock) {
-	my $err = $!;
 	unlink($0) if $ENV{PPROXY_REMOVE};
 	pdie "pproxy: $err\n";
 }
 unlink($0) if $ENV{PPROXY_REMOVE};
-if ($ENV{PPROXY_PROXY} =~ /^vencrypt:/ && $ENV{PPROXY_LISTEN} =~ /^INADDR_ANY:/) {
+if ($ENV{PPROXY_PROXY} =~ /^vencrypt:/ && $ENV{PPROXY_VENCRYPT_REVERSE}) {
 	print STDERR "\nPPROXY: vencrypt+reverse: swapping listen socket with connect socket.\n";
 	my $tmp_swap = $sock;
 	$sock = $listen_handle;
@@ -1116,6 +1366,10 @@ xfer_both();
 exit;
+sub fsleep {
+	select(undef, undef, undef, shift);
+}
 sub url_parse {
 	my $hostport = shift;
 	my $mode = "http";
@@ -1128,11 +1382,14 @@ sub url_parse {
 	} elsif ($hostport =~ m,^https?://(\S*)$,i) {
 		$mode = "http";
 		$hostport = $1;
+	} elsif ($hostport =~ m,^ipv6://(\S*)$,i) {
+		$mode = "ipv6";
+		$hostport = $1;
 	} elsif ($hostport =~ m,^repeater://(\S*)\+(\S*)$,i) {
 		# ultravnc repeater proxy.
 		$hostport = $1;
 		$mode = "repeater:$2";
-		if ($hostport !~ /:\d+/) {
+		if ($hostport !~ /:\d+$/) {
 			$hostport .= ":5900";
 		}
 	} elsif ($hostport =~ m,^vencrypt://(\S*)$,i) {
@@ -1144,7 +1401,7 @@ sub url_parse {
 			$mode = $2;
 		}
 		$mode = "vencrypt:$m";
-		if ($hostport !~ /:\d+/) {
+		if ($hostport !~ /:\d+$/) {
 			$hostport .= ":5900";
 		}
 	}
@@ -1161,6 +1418,8 @@ sub setmode {
 		} else {
 			$ENV{PPROXY_SOCKS} = 1;
 		}
+	} elsif ($mode =~ /^ipv6/i) {
+		$ENV{PPROXY_SOCKS} = 0;
 	} elsif ($mode =~ /^repeater:(.*)/) {
 		$ENV{PPROXY_REPEATER} = $1;
 		$ENV{PPROXY_SOCKS} = "";
@@ -1180,7 +1439,11 @@ sub connection {
 	if ($ENV{PPROXY_SOCKS} eq "5") {
 		# SOCKS5
-		my ($h, $p) = split(/:/, $CONNECT);
+		my ($h, $p) = ($CONNECT, "");
+		if ($h =~ /^(.*):(\d+)$/) {
+			$h = $1;
+			$p = $2;
+		}
 		$con .= pack("C", 0x05);
 		$con .= pack("C", 0x01);
 		$con .= pack("C", 0x00);
@@ -1242,9 +1505,13 @@ sub connection {
 			exit(1);
 		}
-	} elsif ($ENV{PPROXY_SOCKS} ne "") {
+	} elsif ($ENV{PPROXY_SOCKS} eq "1") {
 		# SOCKS4 SOCKS4a
-		my ($h, $p) = split(/:/, $CONNECT);
+		my ($h, $p) = ($CONNECT, "");
+		if ($h =~ /^(.*):(\d+)$/) {
+			$h = $1;
+			$p = $2;
+		}
 		$con .= pack("C", 0x04);
 		$con .= pack("C", 0x01);
 		$con .= pack("n", $p);
@@ -1296,6 +1563,9 @@ sub connection {
 			close $sock;
 			exit(1);
 		}
+	} elsif ($ENV{PPROXY_SOCKS} eq "0") {
+		# hack for ipv6 "proxy", nothing to do, assume INET6 call worked.
+		;
 	} elsif ($ENV{PPROXY_REPEATER} ne "") {
 		my $rep = $ENV{PPROXY_REPEATER};
 		print STDERR "repeater: $rep\n";
@@ -1582,6 +1852,7 @@ sub do_vencrypt_viewer_bridge {
 	for (my $i=0; $i < $maxtry; $i++)  {
 		$listen_sock = IO::Socket::INET->new(
 			Listen    => 2,
+			ReuseAddr => 1,
 			LocalAddr => "127.0.0.1",
 			LocalPort => $listen,
 			Proto     => "tcp"
@@ -1606,6 +1877,23 @@ sub do_vencrypt_viewer_bridge {
 	if (! $viewer_sock) {
 		die "pproxy: vencrypt_viewer_bridge[$$]: $err\n";
 	}
+	if ($ENV{PPROXY_LOOP_THYSELF_MASTER}) {
+		my $sml = $ENV{SSVNC_MULTIPLE_LISTEN}; 
+		if ($sml ne "" && $sml ne "0") {
+			setpgrp(0, 0);
+			if (fork()) {
+				close $viewer_sock;
+				wait;
+				exit 0;
+			}
+			if (fork()) {
+				close $viewer_sock;
+				exit 0;
+			}
+			setpgrp(0, 0);
+			$parent = $$;
+		}
+	}
 	print STDERR "vencrypt_viewer_bridge[$$]: viewer_sock $viewer_sock\n" if $db;
 	print STDERR "pproxy: vencrypt_viewer_bridge[$$]: connecting to 127.0.0.1:$connect\n";
@@ -2055,13 +2343,18 @@ NHAFL_warning() {
 	echo "** Warning: you to manually remove a key from ~/.ssh/known_hosts.)"
 	echo "** Warning: "
 	echo "** Warning: This decreases security: a Man-In-The-Middle attack is possible."
+	echo "** Warning: For chained ssh connections the first ssh leg is secure but the"
+	echo "** Warning: 2nd ssh leg is vulnerable.  For an ssh connection going through"
+	echo "** Warning: a HTTP or SOCKS proxy the ssh connection is vulnerable."
+	echo "** Warning: "
 	echo "** Warning: You can set the SSVNC_SSH_LOCALHOST_AUTH=1 env. var. to disable" 
-	echo "** Warning: using the NoHostAuthenticationForLocalhost ssh option." 
+	echo "** Warning: using the NoHostAuthenticationForLocalhost=yes ssh option." 
 	echo "** Warning: "
 	echo "** Warning: A better solution is to configure (in the SSVNC GUI) the setting:"
 	echo "** Warning: 'Options -> Advanced -> Private SSH KnownHosts file' (or set" 
 	echo "** Warning: SSVNC_KNOWN_HOSTS_FILE directly) to a per-connection known hosts" 
-	echo "** Warning: file.  This yields a both secure and convenient solution." 
+	echo "** Warning: file.  That file holds the 'localhost' cert for this specific" 
+	echo "** Warning: connection.  This yields a both secure and convenient solution." 
 	echo "" 
 }
@@ -2243,6 +2536,7 @@ if [ "X$use_ssh" = "X1" ]; then
 		nd=`findfree 6600`
 		PPROXY_LISTEN=$nd; export PPROXY_LISTEN
+		# XXX no reverse forever PPROXY_LOOP_THYSELF ...
 		$ptmp &
 		sleep 1
 		if [ "X$ssh_NHAFL" != "X" -a "X$did_ssh_NHAFL" != "X1" ]; then
@@ -2633,6 +2927,16 @@ if [ "X$crl" != "X" ]; then
 	fi
 fi
+if [ "X$showcert" = "X1" ]; then
+	if [ "X$ipv6" = "X1" -a "X$proxy" = "X" ]; then
+		proxy="ipv6://$host:$port"
+	fi
+fi
+if [ "X$direct_connect" != "X" -a "X$STUNNEL_LISTEN" != "X" ]; then
+	proxy=reverse_direct
+fi
 ptmp=""
 if [ "X$proxy" != "X" ]; then
 	ptmp="/tmp/ss_vncviewer${RANDOM}.$$.pl"
@@ -2840,10 +3144,23 @@ if [ "X$direct_connect" != "X" ]; then
 		if [ "X$reverse" = "X" ]; then
 			PPROXY_LISTEN=$use
 			export PPROXY_LISTEN
+		else
+			if [ "X$proxy" = "Xreverse_direct" ]; then
+				PPROXY_LISTEN="$STUNNEL_LISTEN:`expr 5500 + $disp`"
+				PPROXY_DEST="$localhost:$use"
+				PPROXY_PROXY="ipv6://$localhost:$use"	# not always ipv6..
+				export PPROXY_LISTEN PPROXY_DEST PPROXY_PROXY
+				pps=1
 			else
 				PPROXY_REVERSE="$localhost:$use"
-			export PPROXY_REVERSE
+				export PPROXY_LISTEN
 				pps=3
+			fi
+			if [ "X$SSVNC_LISTEN_ONCE" != "X1" ]; then
+				PPROXY_LOOP_THYSELF=`mytmp "/tmp/pproxy_loop_thyself.${RANDOM}.$$"`
+				export PPROXY_LOOP_THYSELF
+				pps=2
+			fi
 			if [ "X$SSVNC_EXTRA_SLEEP" != "X" ]; then
 				pps=`expr $pps + $SSVNC_EXTRA_SLEEP`
 			fi
@@ -2904,10 +3221,13 @@ if [ "X$direct_connect" != "X" ]; then
 		echo ""
 		trap "final" 0 2 15
 		if [ "X$SSVNC_ULTRA_DSM" != "X" ]; then
+			if [ "X$SSVNC_LISTEN_ONCE" = "X1" ]; then
 				echo "NOTE: The ultravnc_dsm_helper only runs once.  So after the first LISTEN"
-			echo "      ends, you may have to Press Ctrl-C and restart for another connection."
+				echo "      ends you must restart the Listening mode.  You may also need to"
+				echo "      Press Ctrl-C to stop the viewer and restart for another connection."
 				echo ""
-			SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
+			fi
+			#SSVNC_LISTEN_ONCE=1; export SSVNC_LISTEN_ONCE
 			VNCVIEWER_LISTEN_LOCALHOST=1
 			export VNCVIEWER_LISTEN_LOCALHOST
 			dport=`expr 5500 + $disp`
@@ -2917,8 +3237,13 @@ if [ "X$direct_connect" != "X" ]; then
 			echo
 			echo "$ustr &"
 			echo
+			if [ "X$SSVNC_LISTEN_ONCE" = "X1" ]; then
 				$cmd &
 				dsm_pid=$!
+			else
+				while [ 1 ]; do $cmd; sleep 1; done &
+				dsm_pid=$!
+			fi
 			sleep 2
 			disp=$use
 			if [ $disp -ge 5500 ]; then
@@ -2935,6 +3260,9 @@ if [ "X$direct_connect" != "X" ]; then
 		echo "$VNCVIEWERCMD" "$@" -listen $disp2
 		echo ""
 		$VNCVIEWERCMD "$@" -listen $disp2
+		if [ "X$PPROXY_LOOP_THYSELF" != "X" ]; then
+			rm -f $PPROXY_LOOP_THYSELF
+		fi
 	fi
 	exit $?
 fi
@@ -2998,6 +3326,8 @@ else
 	hloc=""
 	if [ "X$use_ssh" = "X1" ]; then
 		hloc="$localhost:"
+	elif [ "X$STUNNEL_LISTEN" != "X" ]; then
+		hloc="$STUNNEL_LISTEN:"
 	fi
 	if echo "$proxy" | grep -i '^vencrypt:' > /dev/null; then
 		hloc="$localhost:"
@@ -3127,7 +3457,12 @@ else
 		if echo "$proxy" | grep -i '^vencrypt:' > /dev/null; then
 			pstunnel=`echo "$proxy" | awk -F: '{print $2}'`
 			plisten=`echo "$proxy" | awk -F: '{print $3}'`
-			PPROXY_LISTEN="INADDR_ANY:$plisten"; export PPROXY_LISTEN
+			IF=INADDR_ANY
+			if [ "X$STUNNEL_LISTEN" != "X" ]; then
+				IF=$STUNNEL_LISTEN
+			fi
+			PPROXY_VENCRYPT_REVERSE=1; export PPROXY_VENCRYPT_REVERSE
+			PPROXY_LISTEN="$IF:$plisten"; export PPROXY_LISTEN
 			PPROXY_PROXY="vencrypt://$localhost:$pstunnel"; export PPROXY_PROXY
 			PPROXY_DEST="$localhost:$pstunnel"; export PPROXY_DEST
 			STUNNEL_ONCE=1; export STUNNEL_ONCE
@@ -3140,6 +3475,11 @@ else
 				if [ $N2_trim -le 200 ]; then
 					N2_trim=`expr $N2_trim + 5500`
 				fi
+				if [ "X$SSVNC_LISTEN_ONCE" != "X1" ]; then
+					PPROXY_LOOP_THYSELF=`mytmp "/tmp/pproxy_loop_thyself1.${RANDOM}.$$"`
+					export PPROXY_LOOP_THYSELF
+					PPROXY_LOOP_THYSELF0=$PPROXY_LOOP_THYSELF
+				fi
 				env PPROXY_REMOVE=0 PPROXY_SLEEP=0 PPROXY_VENCRYPT_VIEWER_BRIDGE="-$port1,$port2" $ptmp &
 				sleep 1
 			fi
@@ -3148,6 +3488,10 @@ else
 			PPROXY_SLEEP=1; export PPROXY_SLEEP;
 		fi
 		PPROXY_KILLPID=+1; export PPROXY_KILLPID;
+		if [ "X$SSVNC_LISTEN_ONCE" != "X1" ]; then
+			PPROXY_LOOP_THYSELF=`mytmp "/tmp/pproxy_loop_thyself2.${RANDOM}.$$"`
+			export PPROXY_LOOP_THYSELF
+		fi
 		$ptmp &
 		# Important to have no extra pids generated between here and VNCVIEWERCMD
 	fi
@@ -3157,6 +3501,13 @@ else
 	echo "$VNCVIEWERCMD" "$@" -listen $N2
 	echo ""
 	$VNCVIEWERCMD "$@" -listen $N2
+	if [ "X$PPROXY_LOOP_THYSELF" != "X" ]; then
+		rm -f $PPROXY_LOOP_THYSELF
+	fi
+	if [ "X$PPROXY_LOOP_THYSELF0" != "X" ]; then
+		rm -f $PPROXY_LOOP_THYSELF0
+	fi
 fi
 sleep 1
--- a/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/bin/util/ssvnc.tcl
@@ -3,12 +3,12 @@
 exec wish "$0" "$@"
 #
-# Copyright (c) 2006-2009 by Karl J. Runge <runge@karlrunge.com>
+# Copyright (c) 2006-2010 by Karl J. Runge <runge@karlrunge.com>
 #
 # ssvnc.tcl: gui wrapper to the programs in this
 # package. Also sets up service port forwarding.
 #
-set version 1.0.25
+set version 1.0.27
 set buck_zero $argv0
@@ -249,8 +249,13 @@ proc ts_help {} {
    Use username@host (e.g. joe@ts-server or jsmith@ssh.company.com)
    if the user name differs between machines.
-    To use a non-standard ssh port (i.e. a port other than 22) in
+    NOTE: On Windows you MUST always supply the username@ because putty's
-    Proxy/Gateways use something like this for port 2222:
+    plink requires it.
+    NON-STANDARD SSH PORT: To use a non-standard ssh port (i.e. a port other
+    than 22) you need to use the Proxy/Gateways as well.  E.g. something
+    like this for port 2222:
           VNC Terminal Server:  ts-server
           Proxy/Gateway:        jsmith@ssh.company.com:2222
@@ -258,6 +263,7 @@ proc ts_help {} {
    On Unix/MacOSX the username@ is not needed if it is the same as on this
    machine.
    A Web or SOCKS proxy can also be used.  Use this if you are inside a
    firewall that prohibits direct connections to remote SSH servers.
    In Terminal Services SSH mode, the "http://" prefix is required for
@@ -413,8 +419,9 @@ proc help {} {
    * Automatic SSH Tunnels are described below.
-    * The 'No Encryption' option provides a direct connection w/o encryption.
+    * The 'No Encryption' / 'None' option provides a direct connection without
-      (disable by the -enc option, or Options menu.)  More info in Tip 3).
+      encryption (disable the button with the -enc option, or Options menu.)
+      More info in Tip 5.
 Port numbers:
@@ -428,9 +435,12 @@ proc help {} {
    If you must use a TCP port less than 200, specify a negative value,
    e.g.:  24.67.132.27:-80
-    For Reverse VNC connections (listening viewer, See Tip 6 and
+    For Reverse VNC connections (listening viewer, See Tip 2 and
    Options -> Help), the port mapping is similar, except "listening
    display :0" corresponds to port 5500, :1 to 5501, etc.
+    Specify a specific interface, e.g. 192.168.1.1:0 to have stunnel
+    only listen on that interface.  IPv6 also works, e.g. :::0 or ::1:0
+    This also works for UN-encrypted reverse connections as well ('None').
 Zeroconf/Bonjour:
@@ -480,7 +490,7 @@ proc help {} {
        ssvnc vnc+ssl://hostname:0  (same)
        ssvnc vnc+ssh://hostname:0  (connect to hostname VNC disp 0 via SSH)
-    see the Tips 3 and 9 for more about the URL-like syntax.
+    see the Tips 5 and 7 for more about the URL-like syntax.
 SSL Certificate Verification:
@@ -667,7 +677,7 @@ proc help {} {
    To connect to a non-standard SSH port, see SSH Proxies/Gateways section.
-    See Tip 13) for how to make this application be SSH-only with the -ssh
+    See Tip 8) for how to make this application be SSH-only with the -ssh
    command line option or "sshvnc".
@@ -688,7 +698,7 @@ proc help {} {
         VNC Host:Display       username@somehost.com:2
         Remote SSH Command:    x11vnc -find -rfbport 5902 -nopw
-    See the Tip 11) for using x11vnc PORT=NNNN feature (or vncserver(1)
+    See the Tip 18) for using x11vnc PORT=NNNN feature (or vncserver(1)
    output) to not need to specify the VNC display number or the x11vnc
    -rfbport option.
@@ -764,7 +774,7 @@ proc help {} {
    See also these links for more information:
        http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-ext
-        http://www.stunnel.org
+        http://stunnel.mirt.net
        http://www.tightvnc.com
 }
@@ -803,7 +813,7 @@ proc help {} {
    By 'do not trust' we mean they might try to gain access to remote
    machines you connect to via SSVNC.  Note that an untrusted local
    user can often obtain root access in a short amount of time; if a
-    user has acheived that, then all bets are off for ANYTHING that you
+    user has achieved that, then all bets are off for ANYTHING that you
    do on the workstation.  It is best to get rid of Untrusted Local
    Users as soon as possible.
@@ -819,7 +829,7 @@ proc help {} {
    If the untrusted local user tries to connect to these ports, he may
    succeed by varying degrees to gain access to the remote machine.
    We now list some safeguards one can put in place to try to make this
-    more difficult to acheive.
+    more difficult to achieve.
    It probably pays to have the VNC server require a password, even
    though there has already been SSL or SSH authentication (via
@@ -886,7 +896,7 @@ proc help {} {
 	set help_prox {
 Here are a number of long sections on all sorts of proxies, Web, SOCKS,
- ssh, UltraVNC, Single Click, etc., etc.
+ SSH tunnels/gateways, UltraVNC, Single Click, etc., etc.
 Proxies/Gateways:
@@ -917,18 +927,22 @@ proc help {} {
           Proxy/Gateway:      socks://mysocks.west:1080
    Use socks5:// to force the SOCKS5 proxy protocol (e.g. for ssh -D).
-    You can prefix web proxies with http:// but it doesn't matter since
-    that is the default (note that in SSH or SSH+SSL mode you MUST supply
+    You can prefix web proxies with http:// in SSL mode but it doesn't matter
-    the http:// prefix for web proxies; see the next section.)
+    since that is the default for a proxy.  (NOTE that in SSH or SSH+SSL
+    mode you MUST supply the http:// prefix for web proxies because in those
+    modes an SSH tunnel is the default proxy type: see the next section.)
    Note that Web proxies are often configured to ONLY allow outgoing
    connections to ports 443 (HTTPS) and 563 (SNEWS), so you might
    have run the VNC server (or router port redirector) on those ports.
    SOCKS proxies usually have no restrictions on port number.
-    You can chain up to 3 proxies (any combination of http:// and
+    You can chain up to 3 proxies (any combination of web (http://) and
    socks://) by separating them with commas (i.e. first,second,third).
+    Proxies also work for un-encrypted connections ("None" or vnc://, Tip 5)
    See the ss_vncviewer description and x11vnc FAQ for info on proxies:
        http://www.karlrunge.com/x11vnc/faq.html#ss_vncviewer
@@ -942,8 +956,8 @@ proc help {} {
    VNC server.  However, Web and SOCKS proxies can also be used (see below).
    For example if a company had a central login server: "ssh.company.com"
-    (accessible from the internet) and the internal workstation name was
+    (accessible from the internet) and the internal workstation with VNC was
-    "joes-pc", one could put this in:
+    named "joes-pc", then to create an SSH tunnel one could put this in:
           VNC Host:Display:   joes-pc:0
           Proxy/Gateway:      ssh.company.com
@@ -951,7 +965,8 @@ proc help {} {
    It is OK if the hostname "joes-pc" only resolves inside the firewall.
    The 2nd leg, from ssh.company.com -> joes-pc is done by a ssh -L
-    redir and is not encrypted (but viewer -> ssh.company.com is encrypted). 
+    redir and is not encrypted (but the viewer -> ssh.company.com 1st leg is
+    an encrypted tunnel). 
    To SSH encrypt BOTH legs, try the "double SSH gateway" method using
    the "comma" notation:
@@ -959,24 +974,28 @@ proc help {} {
           VNC Host:Display:   localhost:0
           Proxy/Gateway:      ssh.company.com,joes-pc
-    this requires an SSH server running on joes-pc.  So an initial SSH
+    this requires an SSH server also running on joes-pc.  So an initial SSH
    login is done to ssh.company.com, then a 2nd SSH is performed (through
    port a redirection of the first) to login straight to joes-pc where
    the VNC server is running.
    Use username@host (e.g. joe@joes-pc  jsmith@ssh.company.com) if the
-    user names differ between the various machines.  On Windows you MUST
+    user names differ between the various machines.  
-    supply the usernames.
-    To use a non-standard ssh port (i.e. a port other than 22) you need to
+    NOTE: On Windows you MUST always supply the username@ because putty's
-    use the Proxy/Gateways as well.  E.g. something like this for port 2222:
+    plink requires it.
+    NON-STANDARD SSH PORT: To use a non-standard ssh port (i.e. a port other
+    than 22) you need to use the Proxy/Gateways as well.  E.g. something
+    like this for port 2222:
           VNC Host:Display:   localhost:0
           Proxy/Gateway:      joe@far-away.east:2222
-    The username@ is not needed if it is the same as on the client.  This
+    On Unix/MacOSX the username@ is not needed if it is the same as on
-    will also work going to a different internal machine, e.g. "joes-pc:0"
+    the client.  This will also work going to a different internal machine,
-    instead of "localhost:0", as in the first example.
+    e.g. "joes-pc:0" instead of "localhost:0", as in the first example.
    A Web or SOCKS proxy can also be used with SSH.  Use this if you are
@@ -990,12 +1009,14 @@ proc help {} {
           VNC Host:Display:   joe@far-away.east:0
           Proxy/Gateway:      socks://mysocks.west:1080
-    use socks5://... to force the SOCKS5 version.  Note that the http://
+    Use socks5://... to force the SOCKS5 version.  Note that the http://
-    prefix is required for web proxies in SSH or SSH+SSL modes (but it is
+    prefix is REQUIRED for web proxies in SSH or SSH+SSL modes (but it is
-    the default in SSL mode.)
+    the default proxy type in SSL mode.)
-    You can chain up to 3 proxies (any combination of http:// and
+    You can chain up to 3 proxies (any combination of http://, socks://
-    socks://) by separating them with commas (i.e. first,second,third).
+    and ssh) by separating them with commas (i.e. first,second,third).
+    Note: the Web and/or SOCKS proxies must come before any SSH gateways.
    For a non-standard SSH port and a Web or SOCKS proxy try:
@@ -1006,15 +1027,15 @@ proc help {} {
    above works with an initial Web or SOCKS proxy, e.g.:
           VNC Host:Display:   localhost:0
-           Proxy/Gateway:      http://mysocks.west:1080,ssh.company.com,joes-pc
+           Proxy/Gateway:      socks://mysocks.west:1080,ssh.company.com,joes-pc
-    SSH NoHostAuthenticationForLocalhost=yes and UserKnownHostsFile=file
+    Some Notes on SSH localhost tunnelling with SSH options
-    for localhost tunnelling:
+      NoHostAuthenticationForLocalhost=yes and UserKnownHostsFile=file:
-    Warning:  Note that for proxy use with ssh(1) tunnels going through
+    Warning:  Note that for proxy use with ssh(1), tunnels going through
-    localhost are used.  This means ssh(1) thinks the remote hostname is
+    'localhost' are used.  This means ssh(1) thinks the remote hostname is
    'localhost', which may cause collisions and confusion when storing
    and checking SSH keys.
@@ -1026,7 +1047,7 @@ proc help {} {
    the NoHostAuthenticationForLocalhost option is used.
    On Unix to disable the use of NoHostAuthenticationForLocalhost set the env.
-    variable SSVNC_SSH_LOCALHOST_AUTH=1.
+    variable SSVNC_SSH_LOCALHOST_AUTH=1. This may induce extra ssh(1) dialogs.
    On Unix a MUCH SAFER and more convenient way to proceed is to set the
    known hosts option in Options -> Advanced -> 'Private SSH KnownHosts file'
@@ -1063,10 +1084,10 @@ proc help {} {
    Note: it seems only SSL SSVNC connections make sense with the
    UltraVNC repeater.  SSH connections (previous section) do not seem to
-    and so are not enabled to (let us know if you find a way to use it).
+    and so are not enabled to (let us know if you find a way to use it.)
    Unencrypted (aka Direct) SSVNC VNC connections (Vnc:// prefix in
-    'VNC Host:Display'; see Tip 3) also work with the UltraVNC repeater.
+    'VNC Host:Display'; see Tip 5) also work with the UltraVNC repeater.
    For the mode I repeater the viewer initiates the connection and
    passes a string that is the VNC server's IP address (or hostname)
@@ -1084,12 +1105,12 @@ proc help {} {
    The Proxy/Gateway format is repeater://proxy:port+vncserver:display.
    The string after the "+" sign is passed to the repeater server for
    it to interpret (and so does not have to be the UltraVNC repeater;
-    you could create your own if you wanted to). For this example,
+    you could create your own if you wanted to.)  For this example,
    instead of joes-pc:1 it could be joes-pc:5901 or 192.168.1.4:1,
    192.168.1.4:5901, etc.
    If you do not supply a proxy port, then the default 5900 is assumed,
-    e.g.  repeater://myuvncrep.west+joes-pc:1
+    e.g. use repeater://myuvncrep.west+joes-pc:1 for port 5901.
    For the mode II repeater both the VNC viewer and VNC server initiate
@@ -1118,7 +1139,7 @@ proc help {} {
    connection in this situation.
    Note that for unencrypted (i.e. direct) SSVNC connections (see vnc://
-    in Tip 3) there is no need to use a reverse "Listening connection"
+    in Tip 5) there is no need to use a reverse "Listening connection"
    and so you might as well use a forward connection.
    For mode II when tunnelling via SSL, you probably should also disable
@@ -1128,9 +1149,9 @@ proc help {} {
    is no way to do the initial "Fetch Cert" and check if it has been
    previously accepted.
-    Even when you disable "Verify All Certs", you are free to set a
+    Even when you disable "Verify All Certs", you are of course free to
-    ServerCert or CertsDir under "Certs ..." to authenticate the VNC
+    set a ServerCert or CertsDir under "Certs ..." to authenticate the
-    Server against.
+    VNC Server against.
    Also, after the connection you MUST terminate the listening VNC Viewer
    (Ctrl-C) and connect again (the proxy only runs once.)  In Windows,
@@ -1170,7 +1191,7 @@ proc help {} {
    The SC EXE is a VNC *server* that starts up a Reverse VNC connection
    to a Listening Viewer (e.g. the viewer address/port/ID is hardwired
    into the SC EXE).  So SC is not really a proxy, but it can be used
-    with UltraVNC repeater proxies and we include it here.
+    with UltraVNC repeater proxies and so we describe it here.
    One important point for SC III binary creation: do NOT include 
    "-id N" in the helpdesk.txt config file.  This is because the with
@@ -1190,7 +1211,7 @@ proc help {} {
    mode and the SSL encrypted "SC III" mode.  For both cases SSVNC
    must be run in Listening mode (Options -> Reverse VNC Connection)
-    For SC I, enable Reverse VNC Connection and put Vnc://0 (see Tip 3
+    For SC I, enable Reverse VNC Connection and put Vnc://0 (see Tip 5
    below) in the VNC Host:Display to disable encryption (use a different
    number if you are not using the default listening port 5500).
    Then click on the "Listen" button and finally have the user run your
@@ -1242,46 +1263,211 @@ proc help {} {
    SSVNC vncviewer.  The modified viewer is needed; stock VNC viewers
    will not work.  Also, proxy chaining (bouncing off of more than one
    proxy) currently does not work.
+ VeNCrypt is treated as a proxy:
+    SSVNC supports the VeNCrypt VNC security type.  You will find out more
+    about this security type in the other parts of the Help documentation.
+    In short, it does a bit of plain-text VNC protocol negotiation before
+    switching to SSL/TLS encryption and authentication.
+    SSVNC implements its VeNCrypt support as final proxy in a chain
+    of proxies.  You don't need to know this or specify anything, but
+    it is good to know since it uses up one of the 3 proxies you are
+    allowed to chain together.  If you watch the command output you will
+    see the vencrypt:// proxy item.
+    You can specify that a VNC server uses VeNCrypt (Options -> Advanced)
+    or you can let SSVNC try to autodetect VeNCrypt.
+ IPv6 can be treated as a proxy for UN-ENCRYPTED connections:
+    Read Tip 20 about SSVNC's IPv6 (128 bit IP addresses) support.
+    In short, because stunnel and ssh support IPv6 hostnames and
+    addresses, SSVNC does too without you needing to do anything.
+    However, in some usages modes you will need to specify the IPv6
+    server destination in the Proxy/Gateway entry box.  The only case
+    this appears to be needed is when making an un-encrypted connection
+    to an IPv6 VNC server.  In this case neither stunnel nor ssh are
+    used and you need to specify something like this:
+              VNC Host:Display:       localhost:0
+              Proxy/Gateway:          ipv6://2001:4860:b009::68:5900
+    and then select 'None' as the encryption type.  Note that the above
+    'localhost:0' setting can be anything; it is basically ignored.
+    Note that on Unix, MacOSX, and Windows un-encrypted ipv6 connections
+    are AUTODETECTED and so you likely never need to supply ipv6://
+    Only try it if there are problems.  Also note that the ipv6://
+    proxy type does not work on Windows, so only the autodetection is
+    available there.
+    Note that if there is some other proxy, e.g. SOCKS or HTTP and that
+    proxy server is an IPv6 host (or will connect you to one) then any
+    sort of connection through that proxy will work OK: un-encrypted as
+    well as SSL or SSH connections, etc.
+    Unencrypted connection is the only special case where you may need
+    to specify an ipv6:// proxy.  If you find another use let us know.
+    See Tip 20 for more info.
 }
 	set help_tips {
 Tips and Tricks:
-     1) On Unix to get a 2nd GUI (e.g. for a 2nd connection) press Ctrl-N
+     Table of Contents:
-        on the GUI.  If only the xterm window is visible you can press
-        Ctrl-N or try Ctrl-LeftButton -> New SSVNC_GUI.  On Windows you
+      1) Connect to Non-Standard SSH port.
-        will have to manually Start a new one: Start -> Run ..., etc.
+      2) Reverse VNC connections (Listening)
+      3) Global options in ~/.ssvncrc
+      4) Fonts
+      5) vnc://host for un-encrypted connection
+      6) Home directory for memory stick usage, etc.
+      7) vncs:// vncssl:// vnc+ssl:// vnc+ssh:// URL-like prefixes
+      8) sshvnc / -ssh SSH only GUI
+      9) tsvnc / -ts Terminal services only GUI (SSH+x11vnc)
+     10) 2nd GUI window on Unix/MacOSX
+     11) Ctrl-L or Button3 to Load profile
+     12) SHELL command or Ctrl-S for SSH terminal w/o VNC
+     13) KNOCK command for port-knock sequence
+     14) Unix/MacOSX general SSL redirector (not just VNC)
+     15) Environment variables
+     16) Bigger "Open File" dialog window
+     17) Unix/MacOSX extra debugging output
+     18) Dynamic VNC Server Port determination with SSH
+     19) No -t ssh cmdline option for older sshd
+     20) IPv6 support.
+     1) To connect in SSH-Mode to a server running SSH on a non-standard
+        port (22 is the standard port) you need to use the Proxy/Gateway
+        setting.  The following is from the Proxies Help panel:
+        NON-STANDARD SSH PORT: To use a non-standard ssh port (i.e. a port other
+        than 22) you need to use the Proxy/Gateways as well.  E.g. something
+        like this for port 2222: 
-     2) Pressing the "Load" button or pressing Ctrl-L or Clicking the Right
+               VNC Host:Display:   localhost:0
-        mouse button on the main GUI will invoke the Load dialog.
+               Proxy/Gateway:      joe@far-away.east:2222
-        Pressing Ctrl-O on the main GUI will bring up the Options Panel.
+        The username@ is not needed if it is the same as on the client.  This
-        Pressing Ctrl-A on the main GUI will bring up the Advanced Options.
+        will also work going to a different internal machine, e.g. "joes-pc:0"
+        instead of "localhost:0", as in the first example.
+     2) Reverse VNC connections (Listening) are possible as well.
+        In this case the VNC Server initiates the connection to your
+        waiting (i.e. listening) SSVNC viewer.
+        Go to Options and select "Reverse VNC connection".  In the 'VNC
+        Host:Display' entry box put in the number (e.g. "0" or ":0", or
+        ":1", etc) that corresponds to the Listening display (0 -> port
+        5500, 1 -> port 5501, etc.) you want to use.  Then clicking on
+        'Listen' puts your SSVNC viewer in a "listening" state on that
+        port number, waiting for a connection from the VNC Server.
+        On Windows or using a 3rd party VNC Viewer multiple, simultaneous
+        reverse connections are always enabled.  On Unix/MacOSX with the
+        provided ssvncviewer they are disabled by default.  To enable them:
+        Options -> Advanced -> Unix ssvncviewer -> Multiple LISTEN Connections
+        Specify a specific interface, e.g. 192.168.1.1:0 to have stunnel
+        only listen on that interface.  IPv6 works too, e.g. :::0 or ::1:0
+        This also works for UN-encrypted reverse connections as well ('None').
+        See the Options Help for more info.
+     3) You can put global options in your ~/.ssvncrc file (ssvnc_rc on
+        Windows). Currently they are:
+	Put "mode=tsvnc" or "mode=sshvnc" in the ~/.ssvncrc file to have
+	the application start up in the given mode.
+        desktop_type=wmaker    (e.g.) to switch the default Desktop Type.
+        desktop_size=1280x1024 (e.g.) to switch the default Desktop Size.
+        desktop_depth=24       (e.g.) to switch the default Desktop Color Depth
+        xserver_type=Xdummy    (e.g.) to switch the default X Server Type.
+        (The above 4 settings apply only to the Terminal Services Mode.)
+        noenc=1  (same as the -noenc option for a 'No Encryption' option)
+        noenc=0  (do not show the 'No Encryption' option)
+        killstunnel=1 (same as -killstunnel), on Windows automatically kills
+        the STUNNEL process when the viewer exits.  Disable via killstunnel=0
+        and -nokillstunnel.
+        ipv6=0   act as though IPv6 was not detected.
+        ipv6=1   act as though IPv6 was detected.
+        cotvnc=1 have the default vncviewer on Mac OS X be the Chicken of
+        the VNC.  By default the included ssvnc X11 vncviewer is used
+        (requires Mac OS X X11 server to be running.)
-     3) If you want to make a Direct VNC connection, WITH *NO* SSL OR
+        mycert=file (same as -mycert file option).  Set your default MyCert
-        SSH ENCRYPTION, use the "vnc://" prefix in the VNC Host:Display
+        to "file".  If file does not exist ~/.vnc/certs/file is used.
-        entry box, e.g. "vnc://far-away.east:0"  This also works for
-        reverse connections, e.g. vnc://0
+        cacert=file (same as -cacert file option).  Set your default ServerCert
+        to "file".  If file does not exist ~/.vnc/certs/file is used.  If
+        file is "CA" then ~/.vnc/certs/CA/cacert.pem is used.
+        crl=file (same as -crl file option).  Set your default CRL File
+        to "file".  If file does not exist ~/.vnc/certs/file is used.
+        Prefix any of these cert/key files with "FORCE:" to make them
+        immutable, e.g.  "cacert=FORCE:CA".
+        You can set any environment variable in ~/.ssvncrc by using a line
+        like env=VAR=value, for example:  env=SSVNC_FINISH_SLEEP=2
+        To change the fonts (see Tip 4 below for examples):
+        font_default=tk-font-name     (sets the font for menus and buttons)
+        font_fixed=tk-font-name       (sets the font for help text)
+     4) Fonts: To change the tk fonts, set these environment variables
+        before starting up ssvnc: SSVNC_FONT_DEFAULT and SSVNC_FONT_FIXED.
+        For example:
+            % env SSVNC_FONT_DEFAULT='helvetica -20 bold' ssvnc
+            % env SSVNC_FONT_FIXED='courier -14' ssvnc
+        or set both of them at once.  You can also set 'font_default' and
+        'font_fixed' in your ~/.ssvncrc.  E.g.:
+        font_default=helvetica -16 bold
+        font_fixed=courier -12
+     5) If you want to make a Direct VNC connection, WITH *NO* SSL OR
+        SSH ENCRYPTION or authentication, use the "vnc://" prefix in the
+        VNC Host:Display entry box, e.g. "vnc://far-away.east:0"  This
+        also works for reverse connections, e.g. vnc://0
        Use Vnc:// (i.e. capital 'V') to avoid being prompted if you are
        sure you want no encryption.  For example, "Vnc://far-away.east:0"
        Shift+Ctrl-E in the entry box is a short-cut to add or remove
        the prefix "Vnc://" from the host:disp string.
-        Note as of SSVNC 1.0.25 the '-noenc' mode is now the default. I.e.
+        You can also run ssvnc with the '-noenc' cmdline option (now
-        the 'No Encryption' option ('None') is shown by default. To disable
+        the default) to have a check option 'None' that lets you turn off
-        the button supply the '-enc' cmdline option.  
+        Encryption (and profiles will store this setting).  Pressing Ctrl-E
+        on the main panel is a short-cut to toggle between the -noenc 'No
-        You can also run ssvnc with the '-noenc' cmdline option (now the
+        Encryption' mode and normal mode.  The option "Show 'No Encryption'
-        default) to have a check option that lets you turn off Encryption
+        Option" under Options also toggles it.
-        (and profiles will store this setting).  Pressing Ctrl-E on
-        the main panel is a short-cut to toggle between the -noenc
-        'No Encryption' mode and normal mode.  The option "Show 'No
-        Encryption' Option" under Options also toggles it.
        The '-enc' option disables the button (and so makes it less obvious
-        how do disable encryption.)
+        to naive users how to disable encryption.)
+        Note as of SSVNC 1.0.25 the '-noenc' mode is now the default. I.e.
+        the 'No Encryption' option ('None') is shown by default.  When
+        you select 'None' you do not need to supply the "vnc://" prefix.
+        To disable the button supply the '-enc' cmdline option.
        Setting SSVNC_DISABLE_ENCRYPTION_BUTTON=1 in your environment is
        the same as -noenc.  You can also put noenc=1 in your ~/.ssvncrc file.
@@ -1294,23 +1480,23 @@ proc help {} {
        password) over the network that can be sniffed.
        It is also possible (although difficult) for someone to hijack an
-        unencrypted VNC session.
+        existing unencrypted VNC session.
        Often SSVNC is used to connect to x11vnc where the Unix username and
        password is sent over the channel.  It would be a very bad idea to
-        let that data be sent over an unencrypted connection.  In general,
+        let that data be sent over an unencrypted connection!  In general,
        it is not wise to have a plaintext VNC connection.
        Note that even the VNC Password challenge-response method (the password
-        is not sent in plaintext) leaves your VNC password susceptible a
+        is not sent in plaintext) leaves your VNC password susceptible to a
        dictionary attack unless encryption is used to hide it.
-        So (before we made the button on by default!) we forced you to
+        So (well, before we made the button visible by default!) we forced
-        learn about and supply the "vnc://" or "Vnc://" prefix to the
+        you to learn about and supply the "vnc://" or "Vnc://" prefix to
-        host:port or use -noenc or the "Show 'No Encryption' Option"
+        the host:port or use -noenc or the "Show 'No Encryption' Option"
        to disable encryption.  This is a small hurdle, but maybe someone
-        will think twice.  It is a shame that VNC has been around for over
+        will think twice.  It is a shame that VNC has been around for
-        10 years and still does not have built-in strong encryption.
+        over 10 years and still does not have built-in strong encryption.
        Note the Vnc:// or vnc:// prefix will be stored in any profile that
        you save so you do not have to enter it every time.
@@ -1318,65 +1504,7 @@ proc help {} {
        Set the env var SSVNC_NO_ENC_WARN=1 to skip the warning prompts the
        same as the capitalized Vnc:// does.
-     4) If you use "SHELL" for the "Remote SSH Command" (or in the display
+     6) Mobile USB memory stick / flash drive usage:  You can unpack
-        line: "user@hostname cmd=SHELL") then you get an SSH shell only:
-        no VNC viewer will be launched.  On Windows "PUTTY" will try
-        to use putty.exe (better terminal emulation than plink.exe).
-        A ShortCut for this is Ctrl-S with user@hostname in the entry box.
-     5) If you use "KNOCK" for the "Remote SSH Command" (or in the display
-        line "user@hostname cmd=KNOCK") then only the port-knocking is done.
-        A ShortCut for this is Ctrl-P with hostname the entry box.
-        If it is KNOCKF, i.e. an extra "F", then the port-knocking
-        "FINISH" sequence is sent, if any.  A ShortCut for this
-        Shift-Ctrl-P as long as hostname is present.
-     6) Reverse VNC connections (Listening) are possible as well.
-        In this case the VNC Server initiates the connection to your
-        waiting (i.e. listening) SSVNC viewer.
-        Go to Options and select "Reverse VNC connection".  In the 'VNC
-        Host:Display' entry box put in the number (e.g. "0" or ":0", or
-        ":1", etc) that corresponds to the Listening display (0 -> port
-        5500, 1 -> port 5501, etc.) you want to use.  Then clicking on
-        'Listen' puts your SSVNC viewer in a "listening" state on that
-        port number, waiting for a connection from the VNC Server.
-        See the Options Help for more info.
-     7) On Unix to have SSVNC act as a general STUNNEL redirector (i.e. no
-        VNC), put the desired host:port in VNC Host:Display (use a
-        negative port value if it is to be less than 200), then go to
-        Options -> Advanced -> Change VNC Viewer.  Change the "viewer"
-        command to be "xmessage OK" or "xmessage <port>" (or sleep) where
-        port is the desired local listening port.  Then click Connect.
-        If you didn't set the local port look for it in the terminal output.
-        On Windows set 'viewer' to "NOTEPAD" or similar; you can't
-        control the port though.  It is usually 5930, 5931, ... Watch
-        the messages or look at the stunnel log.
-     8) On Unix if you are going to an older SSH server (e.g. Solaris 10),
-        you will probably need to set the env. var. SS_VNCVIEWER_NO_T=1
-        to disable the ssh "-t" option being used (that can prevent the
-        command from being run).
-     9) In the VNC Host:Display entry you can also use these "URL-like"
-        prefixes:
-           vncs://host:0, vncssl://host:0, vnc+ssl://host:0  for SSL
-        and
-           vncssh://host:0, vnc+ssh://host:0                 for SSH
-        There is no need to toggle the SSL/SSH setting.  These also work
-        from the command line, e.g.:  ssvnc vnc+ssh://mymachine:10
-    10) Mobile USB memory stick / flash drive usage:  You can unpack
        ssvnc to a flash drive for impromptu usage (e.g. from a friends
        computer). 
@@ -1400,70 +1528,19 @@ proc help {} {
         cd \ssvnc\Windows
         start \ssvnc\Windows\ssvnc.exe 
-    11) Dynamic VNC Server Port determination and redirection:  If you
+     7) In the VNC Host:Display entry you can also use these "URL-like"
-        are running SSVNC on Unix and are using SSH to start the remote
+        prefixes:
-        VNC server and the VNC server prints out the line "PORT=NNNN"
-        to indicate which dynamic port it is using (x11vnc does this),
-        then if you prefix the SSH command with "PORT=" SSVNC will watch
-        for the PORT=NNNN line and uses ssh's built in SOCKS proxy
-        (ssh -D ...) to connect to the dynamic VNC server port through
-        the SSH tunnel.  For example:
-                VNC Host:Display     user@somehost.com
-                Remote SSH Command:  PORT= x11vnc -find -nopw
-        or "PORT= x11vnc -display :0 -localhost", etc.  Or use "P= ..."
-        There is also code to detect the display of the regular Unix
-        vncserver(1).  It extracts the display (and hence port) from
-        the lines "New 'X' desktop is hostname:4" and also 
-        "VNC server is already running as :4".  So you can use
-        something like:
-                PORT= vncserver; sleep 15 
-        or:     PORT= vncserver :4; sleep 15 
-        the latter is preferred because when you reconnect with it will
-        find the already running one.  The former one will keep creating
-        new X sessions if called repeatedly.
-        On Windows if PORT= is supplied SOCKS proxying is not used, but
-        rather a high, random value of the VNC port is chosen (e.g. 8453)
-        and assumed to be free, and is passed to x11vnc's -rfbport option.
-        This only works with x11vnc (not vncserver).
-    12) Tricks with environment variables:
-        You can change the X DISPLAY variable by typing DISPLAY=... into
-        VNC Host:Display and hitting Return or clicking Connect. Same
-        for HOME=.  On Mac, you can set DYLD_LIBRARY_PATH=... too.
-        It should propagate down the viewer.
-        Setting SLEEP=n increases the amount of time waited before
+           vncs://host:0, vncssl://host:0, vnc+ssl://host:0  for SSL
-        starting the viewer.  The env. var. SSVNC_EXTRA_SLEEP also does
-        this (and also Sleep: Option setting) Setting FINISH=n sets the
-        amount of time slept before the Terminal window exits on Unix
-        and MacOS X.  (same as SSVNC_FINISH_SLEEP env. var.)
-        Full list of parameters HOME/SSVNC_HOME, DISPLAY/SSVNC_DISPLAY
+        and
-        DYLD_LIBRARY_PATH/SSVNC_DYLD_LIBRARY_PATH, SLEEP/SSVNC_EXTRA_SLEEP
-        FINISH/SSVNC_FINISH_SLEEP, DEBUG_NETSTAT, REPEATER_FORCE, SSH_ONLY.
-        (the ones joined by "/" are equivalent names, and the latter can
-        be set as an env. var. as well.)
-        After you set the parameter, clear out the 'VNC Host:Display'
+           vncssh://host:0, vnc+ssh://host:0                 for SSH
-        entry and replace it with the actual host and display number.
-        To replace the xterm terminal where most of the external commands
+        There is no need to toggle the SSL/SSH setting.  These also work
-        are run set SSVNC_XTERM_REPLACEMENT to a command that will run
+        from the command line, e.g.:  ssvnc vnc+ssh://mymachine:10
-        a command in a terminal.  I.e.:  "$SSVNC_XTERM_REPLACEMENT cmd"
-        will run cmd.  If present, %GEOMETRY is expanded to a desired
-        +X+Y geometry.  If present, %TITLE is expanded to a desired title.
-        Examples: SSVNC_XTERM_REPLACEMENT='gnome-terminal -e'
-                  SSVNC_XTERM_REPLACEMENT='gnome-terminal -t "%TITLE" -e'
-                  SSVNC_XTERM_REPLACEMENT='konsole -e'
-    13) If you want this application to be SSH only, then supply the
+     8) If you want this application to be SSH only, then supply the
        command line option "-ssh" or set the env. var SSVNC_SSH_ONLY=1.
        Then no GUI elements specific to SSL will appear (the
@@ -1477,7 +1554,7 @@ proc help {} {
        Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=sshvnc"
        to have the tool always start up in that mode.
-    14) For an even simpler "Terminal Services" mode use "tsvnc" or
+     9) For an even simpler "Terminal Services" mode use "tsvnc" or
        "tsvnc.bat" (or "-ts" option).  This mode automatically launches
        x11vnc on the remote side to find or create your Desktop session
        (usually the Xvfb X server).  So x11vnc must be available on the
@@ -1490,75 +1567,201 @@ proc help {} {
        Or in your ~/.ssvncrc (or ~/ssvnc_rc on Windows) put "mode=tsvnc"
        to have the tool always start up in that mode.
-    15) You can put global options in your ~/.ssvncrc file (ssvnc_rc on
+    10) On Unix to get a 2nd GUI (e.g. for a 2nd connection) press Ctrl-N
-        Windows). Currently they are:
+        on the GUI.  If only the xterm window is visible you can press
+        Ctrl-N or try Ctrl-LeftButton -> New SSVNC_GUI.  On Windows you
+        will have to manually Start a new one: Start -> Run ..., etc.
-	Put "mode=tsvnc" or "mode=sshvnc" in the ~/.ssvncrc file to have
+    11) Pressing the "Load" button or pressing Ctrl-L or Clicking the Right
-	the application start up in the given mode.
+        mouse button on the main GUI will invoke the Load dialog.
-        desktop_type=wmaker    (e.g.) to switch the default Desktop Type.
+        Pressing Ctrl-O on the main GUI will bring up the Options Panel.
+        Pressing Ctrl-A on the main GUI will bring up the Advanced Options.
-        desktop_size=1280x1024 (e.g.) to switch the default Desktop Size.
+    12) If you use "SHELL" for the "Remote SSH Command" (or in the display
+        line: "user@hostname cmd=SHELL") then you get an SSH shell only:
+        no VNC viewer will be launched.  On Windows "PUTTY" will try
+        to use putty.exe (better terminal emulation than plink.exe).
-        desktop_depth=24       (e.g.) to switch the default Desktop Color Depth
+        A ShortCut for this is Ctrl-S with user@hostname in the entry box.
-        xserver_type=Xdummy    (e.g.) to switch the default X Server Type.
+    13) If you use "KNOCK" for the "Remote SSH Command" (or in the display
+        line "user@hostname cmd=KNOCK") then only the port-knocking is done.
-        (The above 4 settings apply only to the Terminal Services Mode.)
+        A ShortCut for this is Ctrl-P with hostname the entry box.
-        noenc=1  (same as the -noenc option for a 'No Encryption' option)
+        If it is KNOCKF, i.e. an extra "F", then the port-knocking
-        noenc=0  (do not show the 'No Encryption' option)
+        "FINISH" sequence is sent, if any.  A ShortCut for this
+        Shift-Ctrl-P as long as hostname is present.
-        killstunnel=1 (same as -killstunnel), on Windows automatically kills
+    14) On Unix to have SSVNC act as a general STUNNEL redirector (i.e. no
-        the STUNNEL process when the viewer exits.  Disable via killstunnel=0
+        VNC), put the desired host:port in VNC Host:Display (use a
-        and -nokillstunnel.
+        negative port value if it is to be less than 200), then go to
+        Options -> Advanced -> Change VNC Viewer.  Change the "viewer"
+        command to be "xmessage OK" or "xmessage <port>" (or sleep) where
+        port is the desired local listening port.  Then click Connect.
+        If you didn't set the local port look for it in the terminal output.
-        cotvnc=1 have the default vncviewer on Mac OS X be the Chicken of
+        On Windows set 'viewer' to "NOTEPAD" or similar; you can't
-        the VNC.  By default the included ssvnc X11 vncviewer is used
+        control the port though.  It is usually 5930, 5931, ... Watch
-        (requires Mac OS X X11 server to be running.)
+        the messages or look at the stunnel log.
-        mycert=file (same as -mycert file option).  Set your default MyCert
+    15) Tricks with environment variables:
-        to "file".  If file does not exist ~/.vnc/certs/file is used.
-        cacert=file (same as -cacert file option).  Set your default ServerCert
+        You can change the X DISPLAY variable by typing DISPLAY=... into
-        to "file".  If file does not exist ~/.vnc/certs/file is used.  If
+        VNC Host:Display and hitting Return or clicking Connect. Same
-        file is "CA" then ~/.vnc/certs/CA/cacert.pem is used.
+        for HOME=.  On Mac, you can set DYLD_LIBRARY_PATH=... too.
+        It should propagate down the viewer.
-        crl=file (same as -crl file option).  Set your default CRL File
+        Setting SLEEP=n increases the amount of time waited before
-        to "file".  If file does not exist ~/.vnc/certs/file is used.
+        starting the viewer.  The env. var. SSVNC_EXTRA_SLEEP also does
+        this (and also Sleep: Option setting) Setting FINISH=n sets the
+        amount of time slept before the Terminal window exits on Unix
+        and MacOS X.  (same as SSVNC_FINISH_SLEEP env. var.)
-        Prefix any of these cert/key files with "FORCE:" to make them
+        Full list of parameters HOME/SSVNC_HOME, DISPLAY/SSVNC_DISPLAY
-        immutable, e.g.  "cacert=FORCE:CA".
+        DYLD_LIBRARY_PATH/SSVNC_DYLD_LIBRARY_PATH, SLEEP/SSVNC_EXTRA_SLEEP
+        FINISH/SSVNC_FINISH_SLEEP, DEBUG_NETSTAT, REPEATER_FORCE,
+        SSH_ONLY, TS_ONLY, NO_DELETE, BAT_SLEEP, IPV6/SSVNC_IPV6=0 or 1.
+        See below for more info.  (the ones joined by "/" are equivalent
+        names, and the latter can be set as an env. var. as well.)
-        You can set any environment variable in ~/.ssvncrc by using a line
+        After you set the parameter, clear out the 'VNC Host:Display'
-        like env=VAR=value, for example:  env=SSVNC_FINISH_SLEEP=2
+        entry and replace it with the actual host and display number.
-        To change the fonts (see Tip 18 below for examples):
+        To replace the xterm terminal where most of the external commands
+        are run set SSVNC_XTERM_REPLACEMENT to a command that will run
+        a command in a terminal.  I.e.:  "$SSVNC_XTERM_REPLACEMENT cmd"
+        will run cmd.  If present, %GEOMETRY is expanded to a desired
+        +X+Y geometry.  If present, %TITLE is expanded to a desired title.
+        Examples: SSVNC_XTERM_REPLACEMENT='gnome-terminal -e'
+                  SSVNC_XTERM_REPLACEMENT='gnome-terminal -t "%TITLE" -e'
+                  SSVNC_XTERM_REPLACEMENT='konsole -e'
-        font_default=tk-font-name     (sets the font for menus and buttons)
+        More info: EXTRA_SLEEP: seconds of extra sleep in scripts; 
-        font_fixed=tk-font-name       (sets the font for help text)
+        FINISH_SLEEP: final extra sleep at end; DEBUG_NETSTAT put up a
+        window showing what netstat reports; NO_DELETE: do not delete tmp
+        bat files on Windows (for debugging); BAT_SLEEP: sleep this many
+        seconds at the end of each Windows bat file (for debugging.) 
    16) On Unix you can make the "Open File" and "Save File" dialogs
        bigger by setting the env. var. SSVNC_BIGGER_DIALOG=1 or
        supplying the -bigger option.  If you set it to a Width x Height,
        e.g. SSVNC_BIGGER_DIALOG=500x200, that size will be used.
    17) On Unix / MacOSX to enable debug output you can set these env.
        vars to 1: SSVNC_STUNNEL_DEBUG, SSVNC_VENCRYPT_DEBUG, and
        SS_DEBUG (very verbose)
+    18) Dynamic VNC Server Port determination and redirection:  If you
+        are running SSVNC on Unix and are using SSH to start the remote
+        VNC server and the VNC server prints out the line "PORT=NNNN"
+        to indicate which dynamic port it is using (x11vnc does this),
+        then if you prefix the SSH command with "PORT=" SSVNC will watch
+        for the PORT=NNNN line and uses ssh's built in SOCKS proxy
+        (ssh -D ...) to connect to the dynamic VNC server port through
+        the SSH tunnel.  For example:
+                VNC Host:Display     user@somehost.com
+                Remote SSH Command:  PORT= x11vnc -find -nopw
+        or "PORT= x11vnc -display :0 -localhost", etc.  Or use "P= ..."
+        There is also code to detect the display of the regular Unix
+        vncserver(1).  It extracts the display (and hence port) from
+        the lines "New 'X' desktop is hostname:4" and also 
+        "VNC server is already running as :4".  So you can use
+        something like:
+                PORT= vncserver; sleep 15 
+        or:     PORT= vncserver :4; sleep 15 
-    18) Fonts: To change the tk fonts, set these environment variables
+        the latter is preferred because when you reconnect with it will
-        before starting up ssvnc: SSVNC_FONT_DEFAULT and SSVNC_FONT_FIXED.
+        find the already running one.  The former one will keep creating
-        For example:
+        new X sessions if called repeatedly.
-            % env SSVNC_FONT_DEFAULT='helvetica -20 bold' ssvnc
+        On Windows if PORT= is supplied SOCKS proxying is not used, but
-            % env SSVNC_FONT_FIXED='courier -14' ssvnc
+        rather a high, random value of the VNC port is chosen (e.g. 8453)
+        and assumed to be free, and is passed to x11vnc's -rfbport option.
+        This only works with x11vnc (not vncserver).
-        or set both of them at once.  You can also set 'font_default' and
+    19) On Unix if you are going to an older SSH server (e.g. Solaris 10),
-        'font_fixed' in your ~/.ssvncrc.  E.g.:
+        you will probably need to set the env. var. SS_VNCVIEWER_NO_T=1
+        to disable the ssh "-t" option being used (that can prevent the
+        command from being run).
-        font_default=helvetica -16 bold
+    20) SSVNC is basically a wrapper for the stunnel and ssh programs,
-        font_fixed=courier -12
+        and because those two programs have good IPv6 support SSVNC will
+        for most usage modes support it as well.  IPv6 is 128 bit internet
+        addresses (as opposed to IPv4 with its 32 bit xxx.yyy.zzz.nnn IPs.
+        So for basic SSL and SSH connections if you type in an IPv6 IP
+        address, e.g. '2001:4860:b009::68', or a hostname with only an
+        IPv6 lookup, e.g. ipv6.l.google.com, the connection will work
+        because stunnel and ssh handle these properly.
+        Note that you often need to supply a display number or port after
+        the address so put it, e.g. ':0' at the end: 2001:4860:b009::68:0
+        You can also use the standard notation [2001:4860:b009::68]:0
+        that is more clear.  You MUST specify the display if you use
+        the IPv6 address notation (but :0 is still the default for a
+        non-numeric hostname string.)
+        IPv4 addresses encoded in IPv6 notation also work, e.g.
+        ::ffff:192.168.1.100 should work for the most part.
+        SSVNC on Unix and MacOSX also has its own Proxy helper tool
+        (pproxy)  This script has been modified to handle IPv6 hostnames
+        and addresses as long as the IO::Socket::INET6 Perl module
+        is available.  On Windows the relay6.exe tool is used.
+        So for the most part IPv6 should work without you having to do
+        anything special.  However, for rare usage, the proxy helper tool
+        can also treat and IPv6 address as a special sort of 'proxy'.
+        So in the entry Proxy/Gateway you can include ipv6://host:port
+        and the IPv6 host will simply be connected to and the data
+        transferred.  In this usage mode, set the VNC Host:Display
+        to anything, e.g. 'localhost:0'; it is ignored if the ipv6://
+        endpoint is specified as a proxy.  Need for ipv6:// usage proxy
+        should be rare.
+        Note that for link local (not global) IPv6 addresses you may
+        need to include the network interface at the end of the address,
+        e.g. fe80::a00:20ff:fefd:53d4%eth0
+        Note that one can use a 3rd party VNC Viewer with SSVNC (see
+        Options -> Advanced -> Change VNC Viewer.)  IPv6 will work for
+        them as well even if they do not support IPv6.
+        IPv6 support on Unix, MacOSX, and Windows is essentially complete
+        for all types of connections (including proxied, unencrypted and
+        reverse connections.)  Let us know if you find a scenario that
+        does not work (see the known exception for putty/plink below.)
+        You can set ipv6=0 in your ssvncrc, then no special relaying for
+        IPv6 will be done (do this if there are problems or slowness in
+        trying to relay ipv6 and you know you will not connect to any
+        such hosts.)  Set ipv6=1 to force the special processing even if
+        IPv6 was not autodetected.  To change this dynamically, you also
+        enter IPV6=... in the VNC Host:Display entry box and press Enter.
+        Also on Unix or MacOSX you can set the env. var. SSVNC_IPV6=0
+        to disable the wrapper script from checking if hosts have ipv6
+        addresses (this is the same as setting ipv6=0 in ssvncrc or by
+        the setting ipv6 in the Entry box.)
+        On Windows plink.exe (SSH client) currently doesn't work for
+        IPv6 address strings (e.g. 2001:4860:b009::68) but it does work
+        for hostname strings that resolve to IPv6 addresses.
+        Note that one can make a home-brew SOCKS5 ipv4-to-ipv6 gateway
+        proxy using ssh like this:
+          ssh -D '*:1080' localhost "printf 'Press Enter to Exit: '; read x"
+        then specify a proxy like socks5://hostname:1080 where hostname
+        is the machine running the above ssh command.  Add '-v' to the
+        ssh cmdline for verbose output.  See also the x11vnc inet6to4 tool
+        (a direct ipv4/6 relay, not socks.)
 }
 	global version
@@ -1845,7 +2048,7 @@ proc help_certs {} {
    The former corresponds to the "CAfile" STUNNEL parameter.
    The latter corresponds to the "CApath" STUNNEL parameter.
-    See stunnel(8) or www.stunnel.org for more information.
+    See stunnel(8) or stunnel.mirt.net for more information.
    If the remote VNC Server fails to authenticate itself with respect to the
    specified certificate(s), then the VNC Viewer (your side) will drop the
@@ -1936,7 +2139,7 @@ proc help_certs {} {
        http://www.karlrunge.com/x11vnc/faq.html#faq-ssl-tunnel-ext
        http://www.karlrunge.com/x11vnc/ssl.html
-        http://www.stunnel.org
+        http://stunnel.mirt.net
    A common way to create and use a VNC Server certificate is:
@@ -2055,7 +2258,7 @@ set msg {
    On MacOSX try to use the bundled X11 vncviewer instead of the
    Chicken of the VNC viewer; the Xquartz X server must be installed
    (it is by default on 10.5.x) and the DISPLAY variable must be set
-    (see Tip 12 of SSVNC Help to do this manually.)
+    (see Tip 15 of SSVNC Help to do this manually.)
 Advanced Options:
@@ -2325,6 +2528,7 @@ set msg {
  Reverse VNC Connection:
            Reverse (listening) VNC connections are possible as well.
+            Enable with this button "Reverse VNC Connection (-LISTEN)"
            In this case the VNC Server initiates the connection to your
            waiting (i.e. listening) SSVNC viewer.
@@ -2362,6 +2566,12 @@ set msg {
            The "listen.pem" will be reused in later SSL Listening
            connections unless you specify a different one with MyCert.
+            On Windows or using a 3rd party VNC Viewer multiple,
+            simultaneous reverse connections are always enabled.
+            On Unix/MacOSX with the provided ssvncviewer they are disabled
+            by default.  To enable them:
+            Options -> Advanced -> Unix ssvncviewer -> Multiple LISTEN Conns.
            For reverse connections in SSH or SSH + SSL modes it is a
            little trickier.  The SSH tunnel (with -R tunnel) must be
            established and remain up waiting for reverse connections.
@@ -2388,6 +2598,10 @@ set msg {
            viewers supplied in the SSVNC package will only listen on
            localhost so these precautions are not needed.
+            Specify a specific interface, e.g. 192.168.1.1:0 to have stunnel
+            only listen on that interface.  IPv6 works too, e.g. :::0 or ::1:0
+            Also works for UN-encrypted reverse connections as well ('None').
            Note that for SSL connections use of "Proxy/Gateway" does not
            make sense: the remote side cannot initiate its reverse connection
            via the Proxy.
@@ -2413,7 +2627,7 @@ set msg {
                           instead of the Chicken of the VNC viewer;
                           The Xquartz X server must be installed (it is by
                           default on 10.5.x) and the DISPLAY variable must
-                           be set (see Tip 12 of Help to do this manually.)
+                           be set (see Tip 15 of Help to do this manually.)
                           Put cotvnc=1 in ~/.ssvncrc to switch the default.
  Kill Stunnel Automatically:
@@ -2492,7 +2706,7 @@ set msg {
             a check item "None" on the main panel and also a "No
             Encryption" check item in the "Options" panel.  If you
             select this item, there will be NO encryption for the VNC
-             connection (use cautiously) See Tip 3) under Help for more
+             connection (use cautiously) See Tip 5) under Help for more
             information about disabling encryption.
@@ -3227,6 +3441,9 @@ proc do_viewer_windows {n} {
 			append cmd " /quality $use_quality"
 		}
 	}
+	set ipv6_pid2 ""
+	set extra  ""
 	if {$use_listen} {
 		if {$vncviewer_realvnc4} {
 			append cmd " listen=1"
@@ -3237,7 +3454,18 @@ proc do_viewer_windows {n} {
 		if {$nn < 100} {
 			set nn [expr "$nn + 5500"] 
 		}
+		global direct_connect_reverse_host_orig is_win9x
+		if {$direct_connect_reverse_host_orig != "" && !$is_win9x} {
+			set nn2 [expr $nn + 15]
+			set h0 $direct_connect_reverse_host_orig
+			global win_localhost
+			set extra "\n\n   relay6.exe $nn $win_localhost $nn2 /b:$h0"
+			set ipv6_pid2 [exec relay6.exe $nn $win_localhost $nn2 /b:$h0 &]
+			set nn $nn2
+		}
 		append cmd " $nn"
 		global did_listening_message
 		if {$did_listening_message < 3} {
 			incr did_listening_message
@@ -3268,7 +3496,7 @@ proc do_viewer_windows {n} {
   ONLY AFTER THAT will you return to the SSVNC GUI.
-   Click OK now to start the Listening VNC Viewer.
+   Click OK now to start the Listening VNC Viewer.$extra
 "
 			global use_ssh use_sshssl
 			if {$use_ssh || $use_sshssl} {
@@ -3322,6 +3550,11 @@ proc do_viewer_windows {n} {
 	mesg $cmd
 	set emess ""
 	set rc [catch {eval exec $cmd} emess]
+	if {$ipv6_pid2 != ""} {
+		winkill $ipv6_pid2
+	}
 	if {$rc != 0} {
 		raise .
 		tk_messageBox -type ok -icon error -message $emess -title "Error: $cmd"
@@ -3422,6 +3655,50 @@ proc guess_nat_ip {} {
 	return $ip
 }
+proc check_for_ipv6 {} {
+	global is_windows have_ipv6
+	if {$have_ipv6 != ""} {
+		return
+	}
+	if {! $is_windows} {
+		set out ""
+		catch {set out [exec netstat -an]}
+		if [regexp {tcp6} $out] {
+			set have_ipv6 1
+		} elseif [regexp {udp6} $out] {
+			set have_ipv6 1
+		} elseif [regexp {:::} $out] {
+			set have_ipv6 1
+		} elseif [regexp {::1} $out] {
+			set have_ipv6 1
+		} elseif [regexp {TCP: IPv6.*LISTEN} $out] {
+			set have_ipv6 1
+		} else {
+			set have_ipv6 0
+		}
+	} else {
+		set out [get_ipconfig]
+		set out [string trim $out]
+		if {$out == ""} {
+			catch {set out [exec ping6 -n 1 -w 2000 ::1]}
+			if [regexp {Reply from.*bytes} $out] {
+				if [regexp {Received = 1} $out] {
+					set have_ipv6 1
+					return
+				}
+			}
+			set have_ipv6 0
+			return
+		}
+		foreach line [split $out "\n\r"] {
+			if {[regexp -nocase {IP Address.*:[ \t]*[a-f0-9]*:[a-f0-9]*:} $line]} {
+				set have_ipv6 1
+				return
+			}
+		}
+		set have_ipv6 0
+	}
+}
 proc guess_ip {} {
 	global is_windows
 	if {! $is_windows} {
@@ -3458,6 +3735,31 @@ proc guess_ip {} {
 				}
 			}
 		}
+		foreach line [split $out "\n\r"] {
+			if {[regexp -nocase {IP Address.*:[ \t]*([:a-f0-9][%:a-f0-9]*)} $line mvar ip]} {
+				set ip [string trim $ip]
+				if [regexp {^[.0]*$} $ip] {
+					continue
+				}
+				if [regexp {127\.0\.0\.1} $ip] {
+					continue
+				}
+				if {$ip != ""} {
+					return $ip
+				}
+			}
+		}
+	}
+}
+proc bat_sleep {fh} {
+	global env
+	if [info exists env(SSVNC_BAT_SLEEP)] {
+		puts $fh "@echo ."
+		puts $fh "@echo -----"
+		puts $fh "@echo Debug: BAT SLEEP for $env(SSVNC_BAT_SLEEP) seconds ..."
+		puts $fh "@ping -n $env(SSVNC_BAT_SLEEP) -w 1000 0.0.0.1 > NUL"
+		puts $fh "@echo BAT SLEEP done."
 	}
 }
@@ -3470,15 +3772,24 @@ proc windows_start_sound_daemon {file} {
 	set fh2 [open $file2 "w"]
 	puts $fh2 $sound_daemon_local_cmd
+	bat_sleep $fh2
 	puts $fh2 "del $file2"
 	close $fh2
 	mesg "Starting SOUND daemon..."
 	if [info exists env(COMSPEC)] {
+		if [info exists env(SSVNC_BAT_SLEEP)] {
+			exec $env(COMSPEC) /c start $env(COMSPEC) /c $file2 &
+		} else {
 			exec $env(COMSPEC) /c $file2 &
+		}
+	} else {
+		if [info exists env(SSVNC_BAT_SLEEP)] {
+			exec cmd.exe /c start cmd.exe /c $file2 &
 		} else {
 			exec cmd.exe /c $file2 &
 		}
+	}
 	after 1500
 }
@@ -3564,10 +3875,11 @@ proc make_plink {} {
 }
 proc ssh_split {str} {
-	if {! [regexp {:} $str]} {
+	regsub { .*$} $str "" str
+	if {! [regexp {:[0-9][0-9]*$} $str]} {
 		append str ":22"
 	}
-	regsub {:.*$} $str "" ssh_host
+	regsub {:[0-9][0-9]*$} $str "" ssh_host
 	regsub {^.*:} $str "" ssh_port
 	if {$ssh_port == ""} {
 		set ssh_port 22
@@ -3624,10 +3936,12 @@ proc launch_windows_ssh {hp file n} {
 	set vnc_disp $hpnew
 	regsub {^.*:} $vnc_disp "" vnc_disp
+	regsub {\.bat} $file ".flg" flag
 	if {$ts_only} {
 		regsub {:0$} $hpnew "" hpnew 
 		if {$proxy == ""} {
-			if {[regexp {^([^:]*):([0-9][0-9]*)$} $hpnew mv sshhst sshpt]} {
+			if {[regexp {^(.*):([0-9][0-9]*)$} $hpnew mv sshhst sshpt]} {
 				set proxy "$sshhst:$sshpt"
 				set hpnew $win_localhost
 			}
@@ -3677,9 +3991,11 @@ proc launch_windows_ssh {hp file n} {
 		set vnc_port $vnc_disp
 	}
+	global ssh_ipv6_pid
+	set ssh_ipv6_pid ""
 	set ssh_port 22
-	set ssh_host $hpnew
+	set ssh_host [host_part $hpnew]
-	regsub {:.*$} $ssh_host "" ssh_host
 	set double_ssh ""
 	set p_port ""
@@ -3749,12 +4065,20 @@ proc launch_windows_ssh {hp file n} {
 				set port2 [rand_port]
 			}
+			global have_ipv6
+			if {$have_ipv6} {
+				set res [ipv6_proxy $pproxy "" ""]
+				set pproxy    [lindex $res 0]
+				set ssh_ipv6_pid [lindex $res 3]
+			}
 			set env(SSVNC_PROXY) $pproxy
 			set env(SSVNC_LISTEN) $port2
 			set env(SSVNC_DEST) "$sproxy1_host:$sproxy1_port"
 			mesg "Starting Proxy TCP helper on port $port2 ..."
 			after 300
+			# ssh br case:
 			set proxy_pid [exec "connect_br.exe" &]
 			catch { unset env(SSVNC_PROXY)  }
@@ -3779,6 +4103,8 @@ proc launch_windows_ssh {hp file n} {
 			if {$is_win9x} {
 				mesg "Double proxy does not work on Win9x"
 				bell
+				winkill $ssh_ipv6_pid
+				set ssh_ipv6_pid ""
 				return 0
 			}
 			# user1@gateway:port1,user2@workstation:port2
@@ -3806,6 +4132,13 @@ proc launch_windows_ssh {hp file n} {
 			set ssh_host2 [lindex $s 1]
 			set ssh_port2 [lindex $s 2]
+			if {! [regexp {^[0-9][0-9]*$} $ssh_port1]} {
+				set ssh_port1 22
+			}
+			if {! [regexp {^[0-9][0-9]*$} $ssh_port2]} {
+				set ssh_port2 22
+			}
 			set u1 ""
 			if {$ssh_user1 != ""} {
 				set u1 "${ssh_user1}@"
@@ -3823,16 +4156,14 @@ proc launch_windows_ssh {hp file n} {
 			set proxy_use $proxy
 		}
-		set ssh_host $proxy_use
+		set ssh_host [host_part $proxy_use]
-		regsub {:.*$} $ssh_host "" ssh_host
-		set ssh_port $proxy_use
+		set ssh_port [port_part $proxy_use]
-		regsub {^.*:} $ssh_port "" ssh_port
+		if {! [regexp {^[0-9][0-9]*$} $ssh_port]} {
-		if {$ssh_port == ""} {
 			set ssh_port 22
 		}
-		set vnc_host $hpnew
+		set vnc_host [host_part $hpnew]
-		regsub {:.*$} $vnc_host "" vnc_host
 		if {$vnc_host == ""} {
 			set vnc_host $win_localhost
 		}
@@ -3841,6 +4172,8 @@ proc launch_windows_ssh {hp file n} {
 	if {![regexp {^[^ 	][^ 	]*@} $ssh_host]} {
 		mesg "You must supply a username: user@host..."
 		bell
+		winkill $ssh_ipv6_pid
+		set ssh_ipv6_pid ""
 		return 0
 	}
@@ -3898,6 +4231,7 @@ proc launch_windows_ssh {hp file n} {
 			regsub {\.bat} $file "pre.cmd" file_pre_cmd
 			set fh [open $file_pre_cmd "w"]
 			puts $fh "$setup_cmds sleep 10; "
+			bat_sleep $fh
 			close $fh
 			# VF
@@ -3917,11 +4251,13 @@ proc launch_windows_ssh {hp file n} {
 			}
 			puts $fh $plink_str
+			bat_sleep $fh
+			if {![info exists env(SSVNC_NO_DELETE)]} {
 				if {$file_pre_cmd != ""} {
 					puts $fh "del $file_pre_cmd"
 				}
 				puts $fh "del $file_pre"
+			}
 			close $fh
 		}
 	}
@@ -3995,6 +4331,7 @@ proc launch_windows_ssh {hp file n} {
 			append str " sleep $sleep; "
 		}
 		puts $fh_cmd $str
+		bat_sleep $fh_cmd
 		close $fh_cmd
 		set sshcmd $setup_cmds
@@ -4083,10 +4420,14 @@ proc launch_windows_ssh {hp file n} {
 		puts $fh "echo \" \""
 	}
 	puts $fh $plink_str
+	bat_sleep $fh
+	puts $fh "del $flag"
+	if {![info exists env(SSVNC_NO_DELETE)]} {
 		if {$file_cmd != ""} {
 			puts $fh "del $file_cmd"
 		}
 		puts $fh "del $file"
+	}
 	close $fh
 	catch {destroy .o}
@@ -4094,6 +4435,7 @@ proc launch_windows_ssh {hp file n} {
 	catch {destroy .os}
 	if { ![do_port_knock $ssh_host start]} {
+		if {![info exists env(SSVNC_NO_DELETE)]} {
 			catch {file delete $file}
 			if {$file_cmd != ""} {
 				catch {file delete $file_cmd}
@@ -4101,6 +4443,9 @@ proc launch_windows_ssh {hp file n} {
 			if {$file_pre != ""} {
 				catch {file delete $file_pre}
 			}
+		}
+		winkill $ssh_ipv6_pid
+		set ssh_ipv6_pid ""
 		return 0
 	}
@@ -4111,7 +4456,11 @@ proc launch_windows_ssh {hp file n} {
 		regsub {\.bat} $file "dob.bat" file_double
 		set fhdouble [open $file_double "w"]
 		puts $fhdouble $plink_str_double_ssh
+		bat_sleep $fhdouble
+		puts $fhdouble "del $flag"
+		if {![info exists env(SSVNC_NO_DELETE)]} {
 			puts $fhdouble "del $file_double"
+		}
 		close $fhdouble
 		set com "cmd.exe"
@@ -4119,7 +4468,16 @@ proc launch_windows_ssh {hp file n} {
 			set com $env(COMSPEC)
 		}
+		set ff [open $flag "w"]
+		puts $ff "flag"
+		close $ff
+		global env
+		if [info exists env(SSVNC_BAT_SLEEP)] {
+			exec $com /c start $com /c $file_double &
+		} else {
 			exec $com /c $file_double &
+		}
 		set waited 0
 		set gotit 0
@@ -4139,7 +4497,11 @@ proc launch_windows_ssh {hp file n} {
 				break
 			}
 			set waited [expr "$waited + 500"]
+			if {![file exists $flag]} {
+				break
 			}
+		}
+		catch {file delete $flag}	
 		if {! $gotit} {
 			after 5000
 		}
@@ -4155,6 +4517,10 @@ proc launch_windows_ssh {hp file n} {
 		}
 	}
+	set ff [open $flag "w"]
+	puts $ff "flag"
+	close $ff
 	if {$is_win9x} {
 		if {$wdraw} {
 			wm withdraw .
@@ -4198,7 +4564,12 @@ proc launch_windows_ssh {hp file n} {
 			mesg "Click on *This* Label when done with 1st SSH 0/$sl"
 			after 600
+			global env
+			if [info exists env(SSVNC_BAT_SLEEP)] {
+				exec $com /c start $com /c $file_pre &
+			} else {
 				exec $com /c $file_pre &
+			}
 			catch {lower .; update; raise .; update}
@@ -4227,12 +4598,18 @@ proc launch_windows_ssh {hp file n} {
 		if {$wdraw} {
 			wm withdraw .
 		}
 		update
 		if {$do_shell && [regexp {FINISH} $port_knocking_list]} {
 			catch {exec $com /c $file}
+		} else {
+			global env
+			if [info exists env(SSVNC_BAT_SLEEP)] {
+				exec $com /c start $com /c $file &
 			} else {
 				exec $com /c $file &
 			}
+		}
 		after 1000
 	}
@@ -4244,8 +4621,10 @@ proc launch_windows_ssh {hp file n} {
 		}
 		return 1
 	}
+	set made_plink 0
 	if {$is_win9x} {
 		make_plink
+		set made_plink 1
 	}
 	global plink_status
 	set plink_status ""
@@ -4279,8 +4658,17 @@ proc launch_windows_ssh {hp file n} {
 		if {$cnt >= 12} {
 			set cnt 0
 		}
+		if {![file exists $flag]} {
+			set plink_status flag_gone
+			break
+		}
 	}
+	catch {file delete $flag}	
 	if {$plink_status == ""} {
+		if {! $made_plink} {
+			make_plink
+			set made_plink 1
+		}
 		vwait plink_status
 	}
@@ -4300,6 +4688,13 @@ proc launch_windows_ssh {hp file n} {
 	}
 	if {$plink_status != "yes"} {
+		set m "unknown"
+		if {$plink_status == "flag_gone"} {
+			set m "plink script failed"
+		} elseif {$plink_status == ""} {
+			set m "timeout"
+		}
+		mesg "Error ($m) to $hp"
 		wm deiconify .
 	} else {
 		after 1000
@@ -4312,6 +4707,7 @@ proc launch_windows_ssh {hp file n} {
 		do_port_knock $ssh_host finish
 	}
+	if {![info exists env(SSVNC_NO_DELETE)]} {
 		if {$file != ""} {
 			catch {file delete $file}	
 		}
@@ -4324,6 +4720,10 @@ proc launch_windows_ssh {hp file n} {
 		if {$file_double != ""} {
 			catch {file delete $file_double}	
 		}
+	}
+	winkill $ssh_ipv6_pid
+	set ssh_ipv6_pid ""
 	global sound_daemon_local_kill
 	if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} {
@@ -4684,7 +5084,7 @@ proc do_unix_pre {tag proxy hp pk_hp}  {
 	if {$proxy == ""} {
 		set pxy $hp
-		regsub {:.*$} $pxy "" pxy
+		regsub {:[0-9][0-9]*$} $pxy "" pxy
 		set c "$c -proxy '$pxy'"
 	} else {
 		set c "$c -proxy '$proxy'"
@@ -5031,7 +5431,7 @@ proc fetch_cert {save} {
 		if [regexp {CONNECTED} $cert_text] {
 			if {[regexp -nocase -line {cipher.*ADH} $cert_text]} {
 				# it is Anonymous Diffie Hellman
-				mesg "WARNING: Anonymous Diffie Hellman Server detected (no Cert)"
+				mesg "WARNING: Anonymous Diffie Hellman Server detected (NO CERT)"
 				after 300
 				.f4.getcert configure -state normal
 				return $cert_text
@@ -5044,7 +5444,7 @@ proc fetch_cert {save} {
 	global vencrypt_detected server_vencrypt
 	if {$vencrypt_detected != "" && !$server_vencrypt} {
-		mesg "VeNCrypt/ANONTLS server detected."
+		mesg "VeNCrypt or ANONTLS server detected."
 		after 600
 	}
@@ -5247,15 +5647,35 @@ proc fetch_dialog {cert_text hp hpnew ok n} {
 	jiggle_text .fetch.f.t
 }
+proc host_part {hp} {
+	regsub {^ *}  $hp "" hp
+	regsub { .*$} $hp "" hp
+	if [regexp {^[0-9][0-9]*$} $hp] {
+		return ""
+	}
+	set h $hp
+	regsub {:[0-9][0-9]*$} $hp "" h
+	return $h
+}
+proc port_part {hp} {
+	regsub { .*$} $hp "" hp
+	set p ""
+	if [regexp {:([0-9][0-9]*)$} $hp m val] {
+		set p $val
+	}
+	return $p
+}
 proc get_vencrypt_proxy {hpnew} {
 	if [regexp -nocase {^vnc://} $hpnew] {
 		return ""
 	}
 	set hpnew  [get_ssh_hp $hpnew]
-	regsub -nocase {^[A-z+]*://} $hpnew "" hpnew
+	regsub -nocase {^[a-z0-9+]*://} $hpnew "" hpnew
-	set list [split $hpnew ":"] 
+	set h [host_part $hpnew]
-	set h [lindex $list 0]
+	set p [port_part $hpnew]
-	set p [lindex $list 1]
 	if {$p == ""} {
 		# might not matter, i.e. SSH+SSL only...
@@ -5306,13 +5726,130 @@ proc fetch_cert_unix {hp {vencrypt 0} {anondh 0}} {
 		lappend cmd "2>/dev/null"
 	}
 	global env
-if [info exists env(CERTDBG)] {puts "\nFetch-cmd: $cmd"}
+	if [info exists env(CERTDBG)] {puts "\nFetch-cmd: $cmd"}
 	set env(SSVNC_SHOWCERT_EXIT_0) 1
 	return [eval exec $cmd]
 }
+proc win_nslookup {host} {
+	global win_nslookup_cache
+	if [info exists win_nslookup_cache($host)] {
+		return $win_nslookup_cache($host)
+	}
+	if [regexp -nocase {[^a-z0-9:._-]} $host]  {
+		set win_nslookup_cache($host) "invalid"
+		return $win_nslookup_cache($host)
+	}
+	if [regexp {^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$} $host] {
+		set win_nslookup_cache($host) $host
+		return $win_nslookup_cache($host)
+	}
+	if [regexp -nocase {^[a-f0-9]*:[a-f0-9:]*:[a-f0-9:]*$} $host] {
+		set win_nslookup_cache($host) $host
+		return $win_nslookup_cache($host)
+	}
+	set nsout ""
+	catch {set nsout [exec nslookup $host]}
+	if {$nsout == "" || [regexp -nocase {server failed} $nsout]} {
+		after 250
+		set nsout ""
+		catch {set nsout [exec nslookup $host]}
+	}
+	if {$nsout == "" || [regexp -nocase {server failed} $nsout]} {
+		set win_nslookup_cache($host) "unknown"
+		return $win_nslookup_cache($host)
+	}
+	regsub -all {Server:[^\n]*\nAddress:[^\n]*} $nsout "" nsout
+	regsub {^.*Name:} $nsout "" nsout
+	if [regexp {Address:[ \t]*([^\n]+)} $nsout mv addr] {
+		set addr [string trim $addr]
+		if {$addr != ""} {
+			set win_nslookup_cache($host) $addr
+			return $win_nslookup_cache($host)
+		}
+	}
+	set win_nslookup_cache($host) "unknown"
+	return $win_nslookup_cache($host)
+}
+proc win_ipv4 {host} {
+	global win_localhost
+	set ip [win_nslookup $host];
+	if [regexp {^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$} $ip] {
+		return 1
+	}
+	return 0
+}
+proc ipv6_proxy {proxy host port} {
+	global is_windows win_localhost have_ipv6
+	if {!$have_ipv6} {
+		return [list $proxy $host $port ""]
+	} elseif {!$is_windows} {
+		return [list $proxy $host $port ""]
+	} else {
+		set h0 ""
+		set p0 ""
+		set port3 ""
+		set ipv6_pid ""
+		set proxy0 $proxy
+		if {$proxy == ""} {
+			if [win_ipv4 $host] {
+				return [list $proxy $host $port ""]
+			}
+			set port3 [rand_port] 
+			set h0 $host
+			set p0 $port
+			set host $win_localhost
+			set port $port3
+		} else {
+			set parts [split $proxy ","] 
+			set n [llength $parts]
+			for {set i 0} {$i < $n} {incr i} {
+				set part [lindex $parts $i]
+				set prefix ""
+				regexp -nocase {^[a-z0-9+]*://} $part prefix
+				regsub -nocase {^[a-z0-9+]*://}	$part "" part
+				set modit 0
+				set h1 ""
+				set p1 ""
+				if [regexp {^(.*):([0-9][0-9]*)$} $part mvar h1 p1] {
+					if {$h1 == "localhost" || $h1 == $win_localhost} {
+						continue
+					} elseif [win_ipv4 $h1] {
+						break
+					}
+					set modit 1
+				} else {
+					break
+				}
+				if {$modit} {
+					set port3 [rand_port] 
+					set h0 $h1
+					set p0 $p1
+					lset parts $i "$prefix$win_localhost:$port3"
+					break
+				}
+			}
+			if {$h0 != "" && $p0 != "" && $port3 != ""} {
+				set proxy [join $parts ","]
+				#mesg "Reset proxy: $proxy"; after 3000
+			}
+		}
+		if {$h0 != "" && $p0 != "" && $port3 != ""} {
+			mesg "Starting IPV6 helper on port $port3 ..."
+			set ipv6_pid [exec relay6.exe $port3 "$h0" "$p0" /b:$win_localhost &]
+			after 400
+			#mesg "r6 $port3 $h0 $p0"; after 3000
+		}
+		return [list $proxy $host $port $ipv6_pid]
+	}
+}
 proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
+	global have_ipv6
 	regsub {^vnc.*://} $hp "" hp
@@ -5329,11 +5866,10 @@ proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
 		}
 	}
-	set list [split $hpnew ":"] 
+	set host [host_part $hpnew]
 	global win_localhost
-	set host [lindex $list 0]
 	if {$host == ""} {
 		set host $win_localhost
 	}
@@ -5343,9 +5879,7 @@ proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
 		regsub {^.*@} $host "" host
 	}
-	set disp [lindex $list 1]
+	set disp [port_part $hpnew]
-	set disp [string trim $disp]
-	regsub { .*$} $disp "" disp
 	if {[regexp {^-[0-9][0-9]*$} $disp]} {
 		;
@@ -5360,6 +5894,15 @@ proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
 		set port $disp
 	}
+	set ipv6_pid ""
+	if {$have_ipv6} {
+		set res [ipv6_proxy $proxy $host $port]
+		set proxy    [lindex $res 0]
+		set host     [lindex $res 1]
+		set port     [lindex $res 2]
+		set ipv6_pid [lindex $res 3]
+	}
 	if {$proxy != ""} {
 		global env
@@ -5384,8 +5927,10 @@ proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
 		set host $win_localhost
 		set port $port2
 		mesg "Starting Proxy TCP helper on port $port2 ..."
-		after 500
+		after 300
+		# fetch cert br case:
 		set proxy_pid [exec "connect_br.exe" &]
 		if {$sp == ""} {
@@ -5451,6 +5996,10 @@ proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
 			foreach pid $pids {
 				winkill $pid
 			}
+			if {$ipv6_pid != ""} {
+				winkill $ipv6_pid
+			}
 			catch {close $ph}
 			catch {file delete $tin $tou}
 			return $text
@@ -5511,6 +6060,9 @@ proc fetch_cert_windows {hp {vencrypt 0} {anondh 0}} {
 		close $ph
 	}
 	catch {file delete $tin $tou}
+	if {$ipv6_pid != ""} {
+		winkill $ipv6_pid
+	}
 	return $text
 }
@@ -6551,6 +7103,24 @@ proc launch_unix {hp} {
 		set env(SSVNC_MULTIPLE_LISTEN) "1"
 	}
+	if {$use_ssh} {
+		;
+	} elseif {$use_sshssl} {
+		;
+	} elseif {$use_ssl} {
+		set prox  [get_ssh_proxy $hp]
+		if {$prox != "" && [regexp {@} $prox]} {
+			mesg "Error: proxy contains '@'  Did you mean to use SSH mode?"
+			bell
+			return
+		}
+		if [regexp {@} $hp] {
+			mesg "Error: host contains '@'  Did you mean to use SSH mode?"
+			bell
+			return
+		}
+	}
 	if {$use_ssh || $use_sshssl} {
 		if {$ssh_local_protection} {
 			if {![info exists env(LIM_ACCEPT)]} {
@@ -6600,6 +7170,7 @@ proc launch_unix {hp} {
 		if {$ts_only} {
 			regsub {:0$} $hpnew "" hpnew 
 			if {$proxy == ""} {
+				# XXX host_part
 				if {[regexp {^([^:]*):([0-9][0-9]*)$} $hpnew mv sshhst sshpt]} {
 					set proxy "$sshhst:$sshpt"
 					set hpnew "localhost"
@@ -6729,7 +7300,8 @@ proc launch_unix {hp} {
 			set env(SS_VNCVIEWER_SSH_ONLY) 1
 			if {$proxy == ""} {
 				set hpt $hpnew
-				regsub {:[0-9]*$} $hpt "" hpt
+				# XXX host_part
+				regsub {:[0-9][0-9]*$} $hpt "" hpt
 				set cmd "$cmd -proxy '$hpt'"
 			}
 			set geometry [xterm_center_geometry]
@@ -7177,7 +7749,9 @@ proc launch_unix {hp} {
 	init_unixpw $hp
+	if {! $do_direct} {
 		vencrypt_tutorial_mesg
+	}
 	wm withdraw .
 	update
@@ -7347,6 +7921,11 @@ proc note_stunnel_pids {when} {
 proc del_launch_windows_ssh_files {} {
 	global launch_windows_ssh_files
+	global env
+	if {[info exists env(SSVNC_NO_DELETE)]} {
+		return
+	}
 	if {$launch_windows_ssh_files != ""} {
 		foreach tf [split $launch_windows_ssh_files] {
@@ -7526,7 +8105,7 @@ proc launch {{hp ""}} {
 		regsub {^.*HOME=} $t "" t
 		set t [string trim $t]
 		set env(SSVNC_HOME) $t
-		mesg "set SSVNC_HOME to $t"
+		mesg "Set SSVNC_HOME to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7535,7 +8114,7 @@ proc launch {{hp ""}} {
 		regsub {^.*DISPLAY=} $t "" t
 		set t [string trim $t]
 		set env(DISPLAY) $t
-		mesg "set DISPLAY to $t"
+		mesg "Set DISPLAY to $t"
 		set vncdisplay ""
 		global uname darwin_cotvnc
 		if {$uname == "Darwin"} {
@@ -7553,7 +8132,7 @@ proc launch {{hp ""}} {
 		set t [string trim $t]
 		set env(DYLD_LIBRARY_PATH) $t
 		set env(SSVNC_DYLD_LIBRARY_PATH) $t
-		mesg "set DYLD_LIBRARY_PATH to $t"
+		mesg "Set DYLD_LIBRARY_PATH to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7562,7 +8141,7 @@ proc launch {{hp ""}} {
 		regsub {^.*SLEEP=} $t "" t
 		set t [string trim $t]
 		set env(SSVNC_EXTRA_SLEEP) $t
-		mesg "set SSVNC_EXTRA_SLEEP to $t"
+		mesg "Set SSVNC_EXTRA_SLEEP to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7571,7 +8150,7 @@ proc launch {{hp ""}} {
 		regsub {^.*SSH=} $t "" t
 		set t [string trim $t]
 		set env(SSH) $t
-		mesg "set SSH to $t"
+		mesg "Set SSH to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7580,7 +8159,25 @@ proc launch {{hp ""}} {
 		regsub {^.*=} $t "" t
 		set t [string trim $t]
 		set env(SSVNC_FINISH_SLEEP) $t
-		mesg "set SSVNC_FINISH_SLEEP to $t"
+		mesg "Set SSVNC_FINISH_SLEEP to $t"
+		set vncdisplay ""
+		return 0
+	}
+	if {[regexp {^NO_DELETE=} $hpt] || [regexp {^SSVNC_NO_DELETE=} $hpt]} {
+		set t $hpt
+		regsub {^.*=} $t "" t
+		set t [string trim $t]
+		set env(SSVNC_NO_DELETE) $t
+		mesg "Set SSVNC_NO_DELETE to $t"
+		set vncdisplay ""
+		return 0
+	}
+	if {[regexp {^BAT_SLEEP=} $hpt] || [regexp {^SSVNC_BAT_SLEEP=} $hpt]} {
+		set t $hpt
+		regsub {^.*=} $t "" t
+		set t [string trim $t]
+		set env(SSVNC_BAT_SLEEP) $t
+		mesg "Set SSVNC_BAT_SLEEP to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7589,7 +8186,7 @@ proc launch {{hp ""}} {
 		regsub {^.*DEBUG_NETSTAT=} $t "" t
 		global debug_netstat
 		set debug_netstat $t
-		mesg "set DEBUG_NETSTAT to $t"
+		mesg "Set DEBUG_NETSTAT to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7597,7 +8194,7 @@ proc launch {{hp ""}} {
 		set t $hpt
 		regsub {^.*REPEATER_FORCE=} $t "" t
 		set env(REPEATER_FORCE) $t
-		mesg "set REPEATER_FORCE to $t"
+		mesg "Set REPEATER_FORCE to $t"
 		set vncdisplay ""
 		return 0
 	}
@@ -7619,6 +8216,14 @@ proc launch {{hp ""}} {
 		return 0
 	}
+	if {[regexp -nocase {^IPV6=([01])} $hpt mv val]} {
+		global env have_ipv6
+		set have_ipv6 $val
+		set env(SSVNC_IPV6) $val
+		mesg "Set have_ipv6 to $val"
+		set vncdisplay ""
+		return 0
+	}
 	regsub {[ 	]*cmd=.*$} $hp "" tt
@@ -7637,6 +8242,7 @@ proc launch {{hp ""}} {
 		mac_raise
 		return
 	}
+	# XXX host_part
 	if {! [regexp ":" $hp]} {
 		if {! [regexp {cmd=} $hp]} {
 			set s [string trim $hp]
@@ -7649,7 +8255,7 @@ proc launch {{hp ""}} {
 	}
 	if {!$use_ssl && !$use_ssh && !$use_sshssl && $sshssl_sw == "none"} {
-		regsub -nocase {^[A-z+]*://}	$hp "" hp
+		regsub -nocase {^[a-z0-9+]*://}	$hp "" hp
 		set hp "Vnc://$hp"
 	}
@@ -7840,11 +8446,33 @@ proc launch {{hp ""}} {
 	global listening_name
 	set listening_name ""
+	if {$use_ssh} {
+		;
+	} elseif {$use_sshssl} {
+		;
+	} elseif {$use_ssl} {
+		if {$proxy != "" && [regexp {@} $proxy]} {
+			mesg "Error: proxy contains '@'  Did you mean to use SSH mode?"
+			bell
+			return
+		}
+		if [regexp {@} $hp] {
+			mesg "Error: host contains '@'  Did you mean to use SSH mode?"
+			bell
+			return
+		}
+	}
+	global ssh_ipv6_pid
+	set ssh_ipv6_pid ""
 	if {$use_sshssl} {
 		set rc [launch_windows_ssh $hp $file2 $n2]
 		if {$rc == 0} {
+			if {![info exists env(SSVNC_NO_DELETE)]} {
 				catch {file delete $file1}
 				catch {file delete $file2}
+			}
 			del_launch_windows_ssh_files
 			return
 		}
@@ -7855,11 +8483,11 @@ proc launch {{hp ""}} {
 		return
 	}
-	set list [split $hp ":"] 
+	set host [host_part $hp];
+	set host_orig $host
 	global win_localhost
-	set host [lindex $list 0]
 	if {$host == ""} {
 		set host $win_localhost
 	}
@@ -7871,9 +8499,7 @@ proc launch {{hp ""}} {
 		regsub {^.*@} $host "" host
 	}
-	set disp [lindex $list 1]
+	set disp [port_part $hp]
-	set disp [string trim $disp]
-	regsub { .*$} $disp "" disp
 	if {[regexp {^-[0-9][0-9]*$} $disp]} {
 		;
 	} elseif {$disp == "" || ! [regexp {^[0-9][0-9]*$} $disp]} {
@@ -7998,6 +8624,16 @@ proc launch {{hp ""}} {
 		set proxy [maybe_add_vencrypt $proxy $hp]
 	}
+	set ipv6_pid ""
+	global have_ipv6
+	if {$have_ipv6} {
+		set res [ipv6_proxy $proxy $host $port]
+		set proxy    [lindex $res 0]
+		set host     [lindex $res 1]
+		set port     [lindex $res 2]
+		set ipv6_pid [lindex $res 3]
+	}
 	if {$proxy != ""} {
 		if {$use_sshssl} {
 			;
@@ -8063,6 +8699,9 @@ proc launch {{hp ""}} {
 			}
 			set listening_name "$hn:$port  (or nn.nn.nn.nn:$port, etc.)"
 		}
+		if {$host_orig != "" && $hloc == ""} {
+			set hloc "$host_orig:"
+		}
 		puts $fh "accept = $hloc$port"
 		puts $fh "connect = $win_localhost:$port2"
 	}
@@ -8079,7 +8718,17 @@ proc launch {{hp ""}} {
 	}
 	if {$fail} {
+		if {![info exists env(SSVNC_NO_DELETE)]} {
 			catch {file delete $file1}
+		}
+		catch { unset env(SSVNC_PROXY) }
+		catch { unset env(SSVNC_LISTEN) }
+		catch { unset env(SSVNC_REVERSE) }
+		catch { unset env(SSVNC_DEST) }
+		catch { unset env(SSVNC_PREDIGESTED_HANDSHAKE) }
+		winkill $ipv6_pid
+		winkill $ssh_ipv6_pid
+		set ssh_ipv6_pid ""
 		return
 	}
@@ -8087,19 +8736,23 @@ proc launch {{hp ""}} {
 	set proxy_pid ""
 	set proxy_pid2 ""
 	if {$proxy != ""} {
 		if [regexp {vencrypt:} $proxy] {
 			set vport [expr "$n1 + 5900"]
 			mesg "Starting VeNCrypt helper on port $vport,$port3 ..."
 			after 500
+			if {![info exists env(SSVNC_NO_DELETE)]} {
 				catch {file delete "$file1.pre"}
+			}
 			set env(SSVNC_PREDIGESTED_HANDSHAKE) "$file1.pre"
 			set env(SSVNC_VENCRYPT_VIEWER_BRIDGE) "$vport,$port3"
 			set proxy_pid2 [exec "connect_br.exe" &]
 			catch { unset env(SSVNC_VENCRYPT_VIEWER_BRIDGE) }
 		}
-		mesg "Starting VeNCrypt TCP helper on port $port ..."
+		mesg "Starting TCP helper on port $port ..."
-		after 500
+		after 400
+		# ssl br case:
 		set proxy_pid [exec "connect_br.exe" &]
 		catch { unset env(SSVNC_PROXY) }
 		catch { unset env(SSVNC_LISTEN) }
@@ -8136,7 +8789,9 @@ proc launch {{hp ""}} {
 	del_launch_windows_ssh_files
+	if {![info exists env(SSVNC_NO_DELETE)]} {
 		catch {file delete $file1}
+	}
 	if {$debug} {
 		;
@@ -8169,6 +8824,9 @@ proc launch {{hp ""}} {
 		win_nokill_msg
 	}
 	mesg "Disconnected from $hp."
+	winkill $ipv6_pid
+	winkill $ssh_ipv6_pid
+	set ssh_ipv6_pid ""
 	global is_win9x use_sound sound_daemon_local_kill sound_daemon_local_cmd
 	if {! $is_win9x && $use_sound && $sound_daemon_local_kill && $sound_daemon_local_cmd != ""} {
@@ -8187,11 +8845,11 @@ proc direct_connect_windows {{hp ""}} {
 	global listening_name
 	set listening_name ""
-	set list [split $hp ":"] 
+	set host [host_part $hp]
-	global win_localhost
+	set host_orig $host
-	set host [lindex $list 0]
+	global win_localhost
 	if {$host == ""} {
 		set host $win_localhost
 	}
@@ -8203,9 +8861,7 @@ proc direct_connect_windows {{hp ""}} {
 		regsub {^.*@} $host "" host
 	}
-	set disp [lindex $list 1]
+	set disp [port_part $hp]
-	set disp [string trim $disp]
-	regsub { .*$} $disp "" disp
 	if {[regexp {^-[0-9][0-9]*$} $disp]} {
 		;
 	} elseif {$disp == "" || ! [regexp {^[0-9][0-9]*$} $disp]} {
@@ -8224,6 +8880,16 @@ proc direct_connect_windows {{hp ""}} {
 		set port $disp
 	}
+	global have_ipv6
+	set ipv6_pid ""
+	if {$have_ipv6 && !$use_listen} {
+		set res [ipv6_proxy $proxy $host $port]
+		set proxy    [lindex $res 0]
+		set host     [lindex $res 1]
+		set port     [lindex $res 2]
+		set ipv6_pid [lindex $res 3]
+	}
 	if {$proxy != ""} {
 		if [regexp {@} $proxy] {
 			bell
@@ -8250,13 +8916,18 @@ proc direct_connect_windows {{hp ""}} {
 	}
 	if {$fail} {
+		catch { unset env(SSVNC_PROXY) }
+		catch { unset env(SSVNC_LISTEN) }
+		catch { unset env(SSVNC_DEST) }
+		winkill $ipv6_pid
 		return
 	}
 	set proxy_pid ""
 	if {$proxy != ""} {
 		mesg "Starting Proxy TCP helper on port $port ..."
-		after 500
+		after 400
+		# unencrypted br case:
 		set proxy_pid [exec "connect_br.exe" &]
 		catch { unset env(SSVNC_PROXY) }
 		catch { unset env(SSVNC_LISTEN) }
@@ -8275,9 +8946,14 @@ proc direct_connect_windows {{hp ""}} {
 		if {$n >= 5500} {
 			set n [expr $n - 5500]
 		}
+		global direct_connect_reverse_host_orig
+		set direct_connect_reverse_host_orig $host_orig
 		do_viewer_windows "$n"
+		set direct_connect_reverse_host_orig ""
 	} else {
-		if {$port >= 5900} {
+		if {$port >= 5900 && $port < 6100} {
 			set port [expr $port - 5900]
 		}
 		do_viewer_windows "$host:$port"
@@ -8287,6 +8963,8 @@ proc direct_connect_windows {{hp ""}} {
 	mesg "Disconnected from $hp."
+	winkill $ipv6_pid
 	global port_knocking_list
 	if [regexp {FINISH} $port_knocking_list] {
 		do_port_knock $host finish
@@ -10363,7 +11041,8 @@ proc save_profile {{parent "."}} {
 	}
 	set h [string trim $vncdisp]
 	set p $h
-	regsub {:.*$} $h "" h
+	# XXX host_part
+	regsub {:[0-9][0-9]*$} $h "" h
 	set host $h
 	regsub {[ 	].*$} $p "" p
 	regsub {^.*:} $p "" p
@@ -10394,7 +11073,7 @@ proc save_profile {{parent "."}} {
 		set proxyport ""
 	} else {
 		set p $h
-		regsub {:.*$} $h "" h
+		regsub {:[0-9][0-9]*$} $h "" h
 		set proxy $h
 		regsub {[ 	].*$} $p "" p
 		regsub {^.*:} $p "" p
@@ -10499,13 +11178,18 @@ proc rand_port {} {
 	global rand_port_list
 	set p ""
-	for {set i 0} {$i < 20} {incr i} {
+	for {set i 0} {$i < 30} {incr i} {
 		set p [expr 25000 + 35000 * rand()]	
 		set p [expr round($p)]
 		if {![info exists rand_port_list($p)]} {
 			break
 		}
 	}
+	if {$p == ""} {
+		unset rand_port_list
+		set p [expr 25000 + 35000 * rand()]	
+		set p [expr round($p)]
+	}
 	set rand_port_list($p) 1
 	return $p
 }
@@ -10635,7 +11319,7 @@ proc get_smb_redir {} {
 		set lhost ""
 		set lport ""
 		if {$hostport != ""} {
-			if [regexp {(.*):(.*)} $hostport mvar lhost lport] {
+			if [regexp {(.*):([0-9][0-9]*)} $hostport mvar lhost lport] {
 				;
 			} else {
 				set lhost $hostport
@@ -10643,7 +11327,7 @@ proc get_smb_redir {} {
 			}
 		} else {
 			if [regexp {//([^/][^/]*)/} $share mvar h] {
-				if [regexp {(.*):(.*)} $h mvar lhost lport] {
+				if [regexp {(.*):([0-9][0-9]*)} $h mvar lhost lport] {
 					;
 				} else {
 					set lhost $h
@@ -13704,6 +14388,8 @@ proc help_ssvncviewer_opts {} {
         VNCVIEWERCMD             (unix viewer command, default vncviewer)
         VNCVIEWERCMD_OVERRIDE    (force override of VNCVIEWERCMD)
         VNCVIEWERCMD_EXTRA_OPTS  (extra options to pass to VNCVIEWERCMD)
+         VNCVIEWER_LISTEN_LOCALHOST (force ssvncviewer to -listen on localhost)
+         VNCVIEWER_NO_SEC_TYPE_TIGHT(force ssvncviewer to skip rfbSecTypeTight)
         SSVNC_MULTIPLE_LISTEN    (-multilisten, see Multiple LISTEN above)
         SSVNC_ACCEPT_POPUP       (-acceptpopup, see Accept Popup Dialog)
@@ -13731,6 +14417,7 @@ proc help_ssvncviewer_opts {} {
         SSVNC_NO_MAYBE_SYNC
         SSVNC_MAX_LISTEN         (number of time to listen for reverse conn.)
         SSVNC_LISTEN_ONCE        (listen for reverse conn. only once)
+         STUNNEL_LISTEN           (stunnel interface for reverse conn.
         SSVNC_EXIT_DEBUG
         SSVNC_DEBUG_CHAT
         SSVNC_NO_MESSAGE_POPUP
@@ -13749,6 +14436,7 @@ proc help_ssvncviewer_opts {} {
         SSVNC_TEST_SEC_TYPE
         SSVNC_LIM_ACCEPT_PRELOAD
         SSVNC_SOCKS5
+         SSVNC_IPV6               (0 to disable ss_vncviewer ipv6 check)
 }
 	.av.f.t insert end $msg
@@ -14414,7 +15102,7 @@ proc multilisten_dialog {} {
 	wm title .multil "Multiple LISTEN Connections"
 	global help_font
-	set h 35
+	set h 36
 	if [small_height] {
 		set h 30
 	}
@@ -14430,8 +15118,9 @@ proc multilisten_dialog {} {
    This option only applies on Unix or MaOSX when using the supplied
    SSVNC vncviewer.  If you specify your own VNC Viewer it has no effect.
-    On Windows (only the stock TightVNC viewer is provided) it has no
+    On Windows (only the stock TightVNC viewer is provided) it has no effect
-    effect.  On MacOSX if the COTVNC viewer is used it has no effect.
+    because the Windows SSVNC can ONLY do "Multiple LISTEN Connections". 
+    Similarly on MacOSX if the COTVNC viewer is used there is no effect.
    Rationale:  To play it safe, the Unix vncviewer provided by SSVNC
    (ssvncviewer) only allows one LISTEN reverse connection at a time.
@@ -14646,9 +15335,10 @@ proc do_port_knock {hp mode} {
 	set default_delay 150
 	set host [string trim $hp]
+	# XXX host_part
 	regsub {^vnc://} $host "" host
 	regsub {^.*@} $host "" host
-	regsub {:.*$} $host "" host
+	regsub {:[0-9][0-9]*$} $host "" host
 	set host0 [string trim $host]
 	if {$host0 == ""} {
@@ -14749,7 +15439,7 @@ proc do_port_knock {hp mode} {
 			set line [string trim $first]
 		}
-		if {[regexp {^(.*):(.*)$} $line mv host port]} {
+		if {[regexp {^(.*):([0-9][0-9]*)$} $line mv host port]} {
 			;
 		} else {
 			set host $host0
@@ -14850,7 +15540,7 @@ proc do_port_knock {hp mode} {
 				raise .
 				tk_messageBox -type ok -icon error -message $emess -title "Error: socket -async $host $port"
 			}
-			set socks($i) $s
+			set sockets($i) $s
 			# seems we have to close it immediately to avoid multiple SYN's.
 			# does not help on Win9x.
 			catch {after 30; close $s};
@@ -14868,7 +15558,7 @@ proc do_port_knock {hp mode} {
 	if {0} {
 		for {set j 0} {$j < $i} {incr j} {
-			set $s $socks($j)
+			set $s $sockets($j)
 			if {$s != ""} {
 				catch {close $s}	
 			}
@@ -17146,7 +17836,7 @@ proc toggle_vnc_prefix {} {
 	if [regexp -nocase {^vnc://} $vncdisplay] {
 		regsub -nocase {^vnc://} $vncdisplay "" vncdisplay
 	} else {
-		regsub -nocase {^[A-z+]*://} $vncdisplay "" vncdisplay
+		regsub -nocase {^[a-z0-9+]*://} $vncdisplay "" vncdisplay
 		set vncdisplay "Vnc://$vncdisplay"
 	}
 	catch {.f0.e icursor end}
@@ -17174,6 +17864,10 @@ if {! $is_windows} {
 set ffont "fixed"
+global have_ipv6
+set have_ipv6 ""
+check_for_ipv6
 # need to check if "fixed" font under XFT on tk8.5 is actually fixed width!!
 if {$tcl_platform(platform) == "unix"} {
 	set ls ""
@@ -17389,6 +18083,15 @@ if [file exists $ssvncrc] {
 			if [regexp {^killstunnel=0} $str] {
 				set kill_stunnel 0
 			}
+			global have_ipv6
+			if [regexp {^ipv6=1} $str] {
+				set have_ipv6 1
+				set env(SSVNC_IPV6) 1
+			}
+			if [regexp {^ipv6=0} $str] {
+				set have_ipv6 0
+				set env(SSVNC_IPV6) 0
+			}
 			if [regexp {^mycert=(.*)$} $str m val] {
 				set val [string trim $val]
 				set mycert_default $val
@@ -17892,7 +18595,7 @@ for {set i 0} {$i < $argc} {incr i} {
 					break;
 				}
 			}
-			if {! $ok && [regexp {:} $item]} {
+			if {! $ok && [regexp {:[0-9][0-9]*$} $item]} {
 				global vncdisplay
 				set vncdisplay $item
 				set ok 1

--- a/x11vnc/misc/enhanced_tightvnc_viewer/build.unix
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/build.unix
@@ -389,7 +389,7 @@ if [ "X$SSVNC_BUILD_SKIP_STUNNEL" = "X" ]; then
 		cp configure configure.orig
 		sed -e "s,/var/ssl,/var/ssl /usr/sfw," configure.orig > configure
 	fi
-	env LDFLAGS="-L$start/$libs $LDFLAGS_OS" CPPFLAGS="$CPPFLAGS_OS" ./configure --disable-libwrap
+	env LDFLAGS="-L$start/$libs $LDFLAGS_OS" CPPFLAGS="$CPPFLAGS_OS" ./configure --disable-libwrap --enable-ipv6
 	make
 	ls -l src/stunnel
 	cd "$start"

--- a/x11vnc/misc/enhanced_tightvnc_viewer/man/man1/ssvnc.1
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/man/man1/ssvnc.1
@@ -217,7 +217,7 @@ For example:
 or set both of them at once.
-To acheive the same effect, you can also
+To achieve the same effect, you can also
 set parameters in your ~/.ssvncrc file, for example:
 font_default=helvetica -20 bold

--- a/x11vnc/misc/enhanced_tightvnc_viewer/man/man1/ssvncviewer.1
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/man/man1/ssvncviewer.1
@@ -11,7 +11,7 @@
 .\" License as specified in the file LICENCE.TXT that comes with the
 .\" TightVNC distribution.
 .\"
-.TH ssvncviewer 1 "December 2009" "" "SSVNC"
+.TH ssvncviewer 1 "September 2009" "" "SSVNC"
 .SH NAME
 ssvncviewer \- an X viewer client for VNC
 .SH SYNOPSIS

--- a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_bundle
 #!/bin/sh
 rm -rf ./src/tmp/* || exit 1
-vers=1.0.25
+vers=1.0.27
 cd .. || exit 1

--- a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_getpatches
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/_getpatches
 #!/bin/sh
+if [ ! -f ./_getpatches ]; then
+	ls -l ./_getpatches
+	exit 1
+fi
 cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/tight-vncviewer*patch .
 cp -p /dist/src/apps/VNC/tight_vnc_1.3dev5/vnc_unixsrc_vncviewer.patched.tar ../zips/

--- a/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/tight-vncviewer-full.patch
+++ b/x11vnc/misc/enhanced_tightvnc_viewer/src/patches/tight-vncviewer-full.patch
--- a/x11vnc/misc/inet6to4
+++ b/x11vnc/misc/inet6to4
@@ -14,9 +14,10 @@
 # clients that need to connect to ipv6 servers.)  Reversing is the default
 # if this script is named 'inet4to6' (e.g. by a symlink.)
 #
-# Use Ctrl-C to stop this program.
+# Use Ctrl-C to stop this program.  You can also supply '-c n' as the
+# first option to only handle that many connections.
 #
-# You can also set env. vars INET6TO4_LOOP=1 or INET6TO4_LOOP=BG
+# Also set the env. vars INET6TO4_LOOP=1 or INET6TO4_LOOP=BG
 # to have an outer loop restarting this program (BG means do that
 # in the background), and INET6TO4_LOGFILE for a log file.
 # Also set INET6TO4_VERBOSE to verbosity level and INET6TO4_WAITTIME
@@ -42,12 +43,14 @@
 # or see <http://www.gnu.org/licenses/>.
 #-------------------------------------------------------------------------
+my $program = "inet6to4";
 # Set up logging:
 #
 if (exists $ENV{INET6TO4_LOGFILE}) {
 	close STDOUT;
 	if (!open(STDOUT, ">>$ENV{INET6TO4_LOGFILE}")) {
-	        die "inet6to4: $ENV{INET6TO4_LOGFILE} $!\n";
+	        die "$program: $ENV{INET6TO4_LOGFILE} $!\n";
 	}
 	close STDERR;
 	open(STDERR, ">&STDOUT");
@@ -98,14 +101,14 @@ sub open_pidfile {
 if (exists $ENV{INET6TO4_LOOP}) {
 	my $csl = $ENV{INET6TO4_LOOP};
 	if ($csl ne 'BG' && $csl ne '1') {
-		die "inet6to4: invalid INET6TO4_LOOP.\n";
+		die "$program: invalid INET6TO4_LOOP.\n";
 	}
 	if ($csl eq 'BG') {
 		# go into bg as "daemon":
 		setpgrp(0, 0);
 		my $pid = fork();
 		if (! defined $pid) {
-			die "inet6to4: $!\n";
+			die "$program: $!\n";
 		} elsif ($pid) {
 			wait;
 			exit 0;
@@ -126,7 +129,7 @@ if (exists $ENV{INET6TO4_LOOP}) {
 		open_pidfile();
 	}
-	print STDERR "inet6to4: starting service at ", scalar(localtime), " master-pid=$$\n";
+	print STDERR "$program: starting service at ", scalar(localtime), " master-pid=$$\n";
 	while (1) {
 		$looppid = fork;
 		if (! defined $looppid) {
@@ -137,7 +140,7 @@ if (exists $ENV{INET6TO4_LOOP}) {
 			exec $0, @ARGV;	
 			exit 1;
 		}
-		print STDERR "inet6to4: re-starting service at ", scalar(localtime), " master-pid=$$\n";
+		print STDERR "$program: re-starting service at ", scalar(localtime), " master-pid=$$\n";
 		sleep 1;
 	}
 	exit 0;
@@ -177,6 +180,12 @@ if (! @ARGV || $ARGV[0] =~ '^-+h') {	# -help
 	exit;
 }
+my $cmax = 0;
+if ($ARGV[0] eq '-c') {			# -c
+	shift;
+	$cmax = shift;
+}
 if ($ARGV[0] eq '-r') {			# -r
 	shift;
 	$reverse = 1;
@@ -203,24 +212,30 @@ setpgrp(0, 0);
 # create listening socket:
 #
+my %opts;
+$opts{Listen}    = 10;
+$opts{Proto}     = "tcp";
+$opts{ReuseAddr} = 1;
+if ($listen_port =~ /^(.*):(\d+)$/) {
+	$opts{LocalAddr} = $1;
+	$listen_port = $2;
+}
+$opts{LocalPort} = $listen_port;
 if (!$reverse) {
-	$listen_sock = IO::Socket::INET6->new(
+	# force ipv6 interface:
-		Listen    => 10,
+	$opts{Domain} = AF_INET6;
-		LocalPort => $listen_port,
+	$listen_sock = IO::Socket::INET6->new(%opts);
-		Domain    => AF_INET6,
-		ReuseAddr => 1,
-		Proto     => "tcp"
-	);
 } else {
-	$listen_sock = IO::Socket::INET->new(
+	$listen_sock = IO::Socket::INET->new(%opts);
-		Listen    => 10,
+	if (! $listen_sock && $! =~ /invalid/i) {
-		LocalPort => $listen_port,
+		warn "$program: $!, retrying with AF_UNSPEC:\n";
-		ReuseAddr => 1,
+		$opts{Domain} = AF_UNSPEC;
-		Proto     => "tcp"
+		$listen_sock = IO::Socket::INET6->new(%opts);
-	);
+	}
 }
 if (! $listen_sock) {
-	die "inet6to4: $!\n";
+	die "$program: $!\n";
 }
 # for use by the xfer helper processes' interrupt handlers:
@@ -236,6 +251,10 @@ my $conn = 0;
 #
 while (1) {
 	$conn++;
+	if ($cmax > 0 && $conn > $cmax) {
+		print STDERR "last connection ($cmax)\n" if $verbose; 
+		last;
+	}
 	print STDERR "listening for connection: $conn\n" if $verbose; 
 	my ($client, $ip) = $listen_sock->accept();
@@ -259,7 +278,7 @@ while (1) {
 	#
 	my $pid = fork();
 	if (! defined $pid) {
-		die "inet6to4: $!\n";
+		die "$program: $!\n";
 	} elsif ($pid) {
 		wait;
 		# to throttle runaways
@@ -286,24 +305,25 @@ sub handle_conn {
 	print STDERR "connecting to: $host:$port\n" if $verbose;
 	my $sock = '';
+	my %opts;
+	$opts{PeerAddr} = $host;
+	$opts{PeerPort} = $port;
+	$opts{Proto}    = "tcp";
 	if (!$reverse) {
-		$sock = IO::Socket::INET->new(
+		$sock = IO::Socket::INET->new(%opts);
-			PeerAddr => $host,
-			PeerPort => $port,
-			Proto => "tcp"
-		);
 	} else {
-		$sock = IO::Socket::INET6->new(
+		$opts{Domain} = AF_INET6;
-			PeerAddr => $host,
+		$sock = IO::Socket::INET6->new(%opts);
-			PeerPort => $port,
+	}
-			Domain   => AF_INET6,
+	if (! $sock) {
-			Proto => "tcp"
+		warn "$program: $!, retrying with AF_UNSPEC:\n";
-		);
+		$opts{Domain} = AF_UNSPEC;
+		$sock = IO::Socket::INET6->new(%opts);
 	}
 	if (! $sock) {
 		close $client;
-		die "inet6to4: $!\n";
+		die "$program: $!\n";
 	}
 	$current_fh1 = $client;
@@ -359,10 +379,10 @@ sub xfer {
 		my $len = sysread($in, $buf, 8192);
 		if (! defined($len)) {
 			next if $! =~ /^Interrupted/;
-			print STDERR "inet6to4\[$lab/$conn/$$]: $!\n";
+			print STDERR "$program\[$lab/$conn/$$]: $!\n";
 			last;
 		} elsif ($len == 0) {
-			print STDERR "inet6to4\[$lab/$conn/$$]: "
+			print STDERR "$program\[$lab/$conn/$$]: "
 			    . "Input is EOF.\n";
 			last;
 		}
@@ -378,7 +398,7 @@ sub xfer {
 		while ($len) {
 			my $written = syswrite($out, $buf, $len, $offset);
 			if (! defined $written) {
-				print STDERR "inet6to4\[$lab/$conn/$$]: "
+				print STDERR "$program\[$lab/$conn/$$]: "
 				    . "Output is EOF. $!\n";
 				$quit = 1;
 				last;