X11VNC_REFLECT_PASSWORD env. var., warning about compiz, improve single-port.

d11b2abd · runge · 0e7499fb · d11b2abd · d11b2abd · d11b2abd
Commit d11b2abd authored Jun 14, 2009 by runge
9 changed files
--- a/x11vnc/ChangeLog
+++ b/x11vnc/ChangeLog
+2009-06-14  Karl Runge <runge@karlrunge.com>
+	* x11vnc: Add X11VNC_REFLECT_PASSWORD env. var. for -reflect mode.
+	  Message to user about compiz problems suggesting -noxdamage.
+	  Improvements to single-port detection and logging.
 2009-05-21  Karl Runge <runge@karlrunge.com>
 	* x11vnc: Thread safety improvements. Add 'OpenOffice' to special
 	  case list for scroll detection.  Fix -clip mode under -rawfb.

--- a/x11vnc/README
+++ b/x11vnc/README
@@ -2,7 +2,7 @@
 Copyright (C) 2002-2009 Karl J. Runge <runge@karlrunge.com>
 All rights reserved.
-x11vnc README file                         Date: Thu May 21 10:41:49 EDT 2009
+x11vnc README file                         Date: Sun Jun 14 13:03:59 EDT 2009
 The following information is taken from these URLs:
@@ -3222,6 +3222,13 @@ TrueColor defdepth 24
   and finally supply the [222]-noshm option (this enables the polling
   over the network).
+   If the Xterminal's X display is open to the network for connections,
+   you might use something like "-display xterm123:0". If you are trying
+   to do this via an SSH tunnel (assuming you can actually ssh into the
+   Xterminal) it will be a little tricky (either use the ssh "-R" option
+   or consider ssh-ing in the other direction.) In all cases the X11
+   permissions need to allow the connection.
   The response will likely be sluggish (maybe only one "frame" per
   second). This mode is not recommended except for "quick checks" of
   hard to get to X servers. Use something like "-wait 150" to cut down
@@ -9375,7 +9382,7 @@ References
 462. http://www.karlrunge.com/x11vnc/faq.html#faq-linuxvc
 463. http://www.karlrunge.com/x11vnc/Xdummy
 464. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-find
- 465. http://www.isc.cnrs.fr/informatique/public_notice/x11vnc
+ 465. http://www.karlrunge.com/x11vnc/xdm_one_shot.html
 466. http://www.karlrunge.com/x11vnc/faq.html#infaq_display-manager-continuously
 467. http://www.karlrunge.com/x11vnc/faq.html#infaq_findcreatedisplay
 468. http://www.karlrunge.com/x11vnc/x11vnc_opts.html#opt-display_WAIT
@@ -11655,6 +11662,10 @@ Enhanced TightVNC Viewer   (SSVNC:   SSL/SSH VNC viewer)
       inside the viewport via Arrow keys or a mouse drag.
     * Scrollbar width setting: -sbwidth n, the default is very thin, 2
       pixels, for less distracting -ycrop usage.
+     * Selection text sending and receiving can be fine-tuned with the
+       -sendclipboard, -sendalways, and -recvtext options.
+     * TightVNC compression and quality levels are automatically set
+       based on observed network latency (n.b. not bandwidth.)
     * Improvements to the [29]Popup menu, all of these can now be
       changed dynamically via the menu: ViewOnly, Toggle Bell,
       CursorShape updates, X11 Cursor, Cursor Alphablending, Toggle
@@ -12307,6 +12318,8 @@ r
        Quality Level            ~ -quality (both Tight and ZYWRLE)
        Compress Level           ~ -compresslevel
        Disable JPEG:            ~ -nojpeg  (Tight)
+        Pipeline Updates         ~ -pipeline
        Full Color                 as many colors as local screen allows.
        Grey scale (16 & 8-bpp)  ~ -grey, for low colors 16/8bpp modes only.
        16 bit color (BGR565)    ~ -16bpp / -bgr565
@@ -12320,7 +12333,6 @@ r
        Set Y Crop (y-max)       ~ -ycrop
        Set Scrollbar Width      ~ -sbwidth
        XGrabServer              ~ -graball
-        Pipeline Updates         ~ -pipeline
        UltraVNC Extensions:
@@ -12335,6 +12347,9 @@ r
        Note: the Ultravnc extensions only apply to servers that support
              them.  x11vnc/libvncserver supports some of them.
+        Send Clipboard not Primary  ~ -sendclipboard
+        Send Selection Every time   ~ -sendalways
   Nearly all of these can be changed dynamically in the Popup menu
   (press F8 for it):
@@ -12598,7 +12613,7 @@ x11vnc: a VNC server for real X displays
   Here are all of x11vnc command line options:
 % x11vnc -opts      (see below for -help long descriptions)
-x11vnc: allow VNC connections to real X11 displays. 0.9.8 lastmod: 2009-05-18
+x11vnc: allow VNC connections to real X11 displays. 0.9.8 lastmod: 2009-06-14
 x11vnc options:
  -display disp            -auth file               -N                     
@@ -12723,7 +12738,7 @@ libvncserver-tight-extension options:
 % x11vnc -help
-x11vnc: allow VNC connections to real X11 displays. 0.9.8 lastmod: 2009-05-18
+x11vnc: allow VNC connections to real X11 displays. 0.9.8 lastmod: 2009-06-14
 (type "x11vnc -opts" to just list the options.)
@@ -16696,6 +16711,11 @@ t
                       window dragging.  Consider the -nodragging option if
                       the problem is severe.
+                       The env. var. X11VNC_REFLECT_PASSWORD can be set to
+                       the password needed to log into the vnc host server, or
+                       to "file:path_to_file" to indicate a file containing
+                       the password as its first line.
                       The VNC HOST mode implies -shared.  Use -noshared as
                       a subsequent cmdline option to disable sharing.

--- a/x11vnc/connections.c
+++ b/x11vnc/connections.c
@@ -817,7 +817,10 @@ void client_gone(rfbClientPtr client) {
 			rfbLog("connect_once: invalid password or early "
 			   "disconnect.\n");
 			rfbLog("connect_once: waiting for next connection.\n"); 
-			accepted_client = 0;
+			accepted_client--;
+			if (accepted_client < 0) {
+				accepted_client = 0;
+			}
 			CLIENT_UNLOCK;
 			return;
 		}
@@ -2995,8 +2998,8 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
 	if (connect_once) {
 		if (screen->dontDisconnect && screen->neverShared) {
 			if (! shared && accepted_client) {
-				rfbLog("denying additional client: %s\n",
+				rfbLog("denying additional client: %s:%d\n",
-				     client->host);
+				     client->host, get_remote_port(client->sock));
 				CLIENT_UNLOCK;
 				return(RFB_CLIENT_REFUSE);
 			}
@@ -3095,7 +3098,8 @@ enum rfbNewClientAction new_client(rfbClientPtr client) {
 	cd->cmp_bytes_sent = 0;
 	cd->raw_bytes_sent = 0;
-	accepted_client = 1;
+	rfbLog("incr accepted_client for %s:%d.\n", client->host, get_remote_port(client->sock));
+	accepted_client++;
 	last_client = time(NULL);
 	if (ncache) {

--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -4031,6 +4031,11 @@ void print_help(int mode) {
 "                       window dragging.  Consider the -nodragging option if\n"
 "                       the problem is severe.\n"
 "\n"
+"                       The env. var. X11VNC_REFLECT_PASSWORD can be set to\n"
+"                       the password needed to log into the vnc host server, or\n"
+"                       to \"file:path_to_file\" to indicate a file containing\n"
+"                       the password as its first line.\n"
+"\n"
 "                       The VNC HOST mode implies -shared.  Use -noshared as\n"
 "                       a subsequent cmdline option to disable sharing.\n"
 "\n"

--- a/x11vnc/screen.c
+++ b/x11vnc/screen.c
@@ -1175,6 +1175,39 @@ rfbBool vnc_reflect_resize(rfbClient *cl)  {
 	return cl->frameBuffer ? TRUE : FALSE;
 }
+static char* vnc_reflect_get_password(rfbClient* client) {
+	char *q, *p, *str = getenv("X11VNC_REFLECT_PASSWORD");
+	int len = 110;
+	if (str) {
+		len += 2*strlen(str);	
+	}
+	p = (char *) calloc(len, 1);
+	if (!str || strlen(str) == 0) {
+		fprintf(stderr, "VNC Reflect Password: ");
+		fgets(p, 100, stdin);
+	} else {
+		if (strstr(str, "file:") == str) {
+			FILE *f = fopen(str + strlen("file:"), "r");
+			if (f) {
+				fgets(p, 100, f);
+				fclose(f);
+			}
+		}
+		if (p[0] == '\0') {
+			strncpy(p, str, 100);
+		}
+	}
+	q = p;
+	while (*q != '\0') {
+		if (*q == '\n') {
+			*q = '\0';
+		}
+		q++;
+	}
+	return p;
+}
 char *vnc_reflect_guess(char *str, char **raw_fb_addr) {
 	static int first = 1;
@@ -1206,6 +1239,10 @@ char *vnc_reflect_guess(char *str, char **raw_fb_addr) {
 	client->canHandleNewFBSize = TRUE;
 	client->GotFrameBufferUpdate = vnc_reflect_got_update;
+	if (getenv("X11VNC_REFLECT_PASSWORD")) {
+		client->GetPassword = vnc_reflect_get_password;
+	}
 	if (first) {
 		argv[argc++] = "x11vnc_rawfb_vnc";
 		if (strstr(hp, "listen") == hp) {

--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@@ -124,7 +124,7 @@ static void init_prng(void);
 static void sslerrexit(void);
 static char *get_input(char *tag, char **in);
 static char *create_tmp_pem(char *path, int prompt);
-static int  ssl_init(int s_in, int s_out, int skip_vnc_tls);
+static int  ssl_init(int s_in, int s_out, int skip_vnc_tls, double last_https);
 static void ssl_xfer(int csock, int s_in, int s_out, int is_https);
 #ifndef FORK_OK
@@ -1397,7 +1397,7 @@ if (db) fprintf(stderr, "  waitret1=%d\n", wret);
 	}
 }
-static int is_ssl_readable(int s_in, time_t last_https, char *last_get,
+static int is_ssl_readable(int s_in, double last_https, char *last_get,
    int mode) {
 	int nfd, db = 0;
 	struct timeval tv;
@@ -1427,7 +1427,7 @@ static int is_ssl_readable(int s_in, time_t last_https, char *last_get,
 	 * increase the timeout if we know HTTP traffic has occurred
 	 * recently:
 	 */
-	if (time(NULL) < last_https + 30) {
+	if (dnow() < last_https + 30.0) {
 		tv.tv_sec = 10;
 		if (last_get && strstr(last_get, "VncViewer")) {
 			tv.tv_sec = 5;
@@ -1613,7 +1613,7 @@ int proxy_hack(int vncsock, int listen, int s_in, int s_out, char *cookie,
 if (db) fprintf(stderr, "got applet input sock1: %d\n", sock1);
-	if (! ssl_init(sock1, sock1, 0)) {
+	if (! ssl_init(sock1, sock1, 0, 0.0)) {
 if (db) fprintf(stderr, "ssl_init FAILED\n");
 		exit(1);
 	}
@@ -1789,7 +1789,7 @@ void accept_openssl(int mode, int presock) {
 	char cookie[256], rcookie[256], *name = NULL;
 	int vencrypt_sel = 0;
 	int anontls_sel = 0;
-	static time_t last_https = 0;
+	static double last_https = 0.0;
 	static char last_get[256];
 	static int first = 1;
 	unsigned char *rb;
@@ -1972,6 +1972,11 @@ void accept_openssl(int mode, int presock) {
 	/* now fork the child to handle the SSL: */
 	pid = fork();
+	if (pid > 0) {
+		rfbLog("SSL: helper for peerport %d is pid %d: \n",
+		    peerport, (int) pid);
+	}
 	if (pid < 0) {
 		rfbLog("SSL: accept_openssl: could not fork.\n");
 		rfbLogPerror("fork");
@@ -2023,6 +2028,7 @@ void accept_openssl(int mode, int presock) {
 		if (vncsock < 0) {
 			rfbLog("SSL: ssl_helper[%d]: could not connect"
 			    " back to: %d\n", getpid(), cport);
+			rfbLog("SSL: ssl_helper[%d]: exit case 1 (no local vncsock)\n", getpid());
 			exit(1);
 		}
 		if (db) fprintf(stderr, "vncsock %d\n", vncsock);
@@ -2036,8 +2042,9 @@ void accept_openssl(int mode, int presock) {
 			s_in = s_out = sock;
 		}
-		if (! ssl_init(s_in, s_out, skip_vnc_tls)) {
+		if (! ssl_init(s_in, s_out, skip_vnc_tls, last_https)) {
 			close(vncsock);
+			rfbLog("SSL: ssl_helper[%d]: exit case 2 (ssl_init failed)\n", getpid());
 			exit(1);
 		}
@@ -2075,6 +2082,7 @@ void accept_openssl(int mode, int presock) {
 			rfbLog("SSL: accept_openssl[%d]: no httpd socket for "
 			    "-https mode\n", getpid());
 			close(vncsock);
+			rfbLog("SSL: ssl_helper[%d]: exit case 3 (no httpd sock)\n", getpid());
 			exit(1);
 		}
@@ -2186,6 +2194,7 @@ void accept_openssl(int mode, int presock) {
 				write(vncsock, tbuf, strlen(tbuf));
 				close(vncsock);
+				rfbLog("SSL: ssl_helper[%d]: exit case 4 (check.https.proxy.connection)\n", getpid());
 				exit(0);
 			}
 			connect_to_httpd:
@@ -2282,6 +2291,7 @@ void accept_openssl(int mode, int presock) {
 			if (httpsock < 0) {
 				/* UGH, after all of that! */
 				rfbLog("Could not connect to httpd socket!\n");
+				rfbLog("SSL: ssl_helper[%d]: exit case 5.\n", getpid());
 				exit(1);
 			}
 			if (db) fprintf(stderr, "ssl_helper[%d]: httpsock: %d %d\n",
@@ -2296,6 +2306,7 @@ void accept_openssl(int mode, int presock) {
 				write(httpsock, buf, n);
 			}
 			ssl_xfer(httpsock, s_in, s_out, is_http);
+			rfbLog("SSL: ssl_helper[%d]: exit case 6 (https ssl_xfer done)\n", getpid());
 			exit(0);
 		}
@@ -2311,6 +2322,7 @@ void accept_openssl(int mode, int presock) {
 		wrote_cookie:
 		ssl_xfer(vncsock, s_in, s_out, 0);
+		rfbLog("SSL: ssl_helper[%d]: exit case 7 (ssl_xfer done)\n", getpid());
 		exit(0);
 	}
 	/* parent here */
@@ -2333,7 +2345,7 @@ void accept_openssl(int mode, int presock) {
 	if (vsock < 0) {
-		rfbLog("SSL: accept_openssl: connection from ssl_helper FAILED.\n");
+		rfbLog("SSL: accept_openssl: connection from ssl_helper[%d] FAILED.\n", pid);
 		rfbLogPerror("accept");
 		kill(pid, SIGTERM);
@@ -2441,15 +2453,15 @@ void accept_openssl(int mode, int presock) {
 	}
 	if (n != (int) strlen(cookie) || strncmp(cookie, rcookie, n)) {
-		rfbLog("SSL: accept_openssl: cookie from ssl_helper FAILED. %d\n", n);
+		rfbLog("SSL: accept_openssl: cookie from ssl_helper[%d] FAILED. %d\n", pid, n);
 		if (db) fprintf(stderr, "'%s'\n'%s'\n", cookie, rcookie);
 		close(vsock);
 		if (strstr(rcookie, uniq) == rcookie) {
 			int i;
-			rfbLog("SSL: BUT WAIT! HTTPS for helper process succeeded. Good.\n");
+			rfbLog("SSL: BUT WAIT! HTTPS for helper process[%d] succeeded. Good.\n", pid);
 			if (mode != OPENSSL_HTTPS) {
-				last_https = time(NULL);
+				last_https = dnow();
 				for (i=0; i<256; i++) {
 					last_get[i] = '\0';
 				}
@@ -2470,6 +2482,7 @@ void accept_openssl(int mode, int presock) {
 				double start;
 				int origport = screen->port;
 				int useport = screen->port;
+				int saw_httpsock = 0;
 				/* to expand $PORT correctly in index.vnc */
 				if (https_port_redir < 0) {
 					char *q = strstr(rcookie, "HP=");
@@ -2489,23 +2502,34 @@ void accept_openssl(int mode, int presock) {
 				start = dnow();
 				while (dnow() < start + 10.0) {
+					if (screen->httpSock >= 0) saw_httpsock = 1;
 					rfbPE(10000);
 					usleep(10000);
+					if (screen->httpSock >= 0) saw_httpsock = 1;
 					waitpid(pid, &status, WNOHANG); 
 					if (kill(pid, 0) != 0) {
 						rfbPE(10000);
 						rfbPE(10000);
 						break;
 					}
+					if (saw_httpsock && screen->httpSock < 0) {
+						rfbLog("SSL: httpSock for helper[%d] went away\n", pid);
+						rfbPE(10000);
+						rfbPE(10000);
+						break;
+					}
 				}
 				screen->port = origport;
-				rfbLog("SSL: guessing child https finished.\n");
+				rfbLog("SSL: guessing child helper[%d] https finished. dt=%.6f\n",
+				    pid, dnow() - start);
 				ssl_helper_pid(0, -2);
 				if (mode == OPENSSL_INETD) {
 					clean_up_exit(1);
 				}
 			} else if (mode == OPENSSL_INETD) {
 				double start;
+				int saw_httpsock = 0;
 				/* to expand $PORT correctly in index.vnc */
 				if (screen->port == 0) {
 					int fd = fileno(stdin);
@@ -2524,17 +2548,26 @@ void accept_openssl(int mode, int presock) {
 				/* kludge for https fetch via inetd */
 				start = dnow();
 				while (dnow() < start + 10.0) {
+					if (screen->httpSock >= 0) saw_httpsock = 1;
 					rfbPE(10000);
 					usleep(10000);
+					if (screen->httpSock >= 0) saw_httpsock = 1;
 					waitpid(pid, &status, WNOHANG); 
 					if (kill(pid, 0) != 0) {
 						rfbPE(10000);
 						rfbPE(10000);
 						break;
 					}
+					if (saw_httpsock && screen->httpSock < 0) {
+						rfbLog("SSL: httpSock for helper[%d] went away\n", pid);
+						rfbPE(10000);
+						rfbPE(10000);
+						break;
+					}
 				}
 				rfbLog("SSL: OPENSSL_INETD guessing "
-				    "child https finished.\n");
+				    "child helper[%d] https finished. dt=%.6f\n",
+				    pid, dnow() - start);
 				ssl_helper_pid(0, -2);
 				clean_up_exit(1);
 			}
@@ -2554,7 +2587,7 @@ void accept_openssl(int mode, int presock) {
 	if (db) fprintf(stderr, "accept_openssl: cookie good: %s\n", cookie);
-	rfbLog("SSL: handshake with helper process succeeded.\n");
+	rfbLog("SSL: handshake with helper process[%d] succeeded.\n", pid);
 	openssl_last_helper_pid = pid;
 	ssl_helper_pid(pid, vsock);
@@ -3006,8 +3039,8 @@ static int vencrypt_dialog(int s_in, int s_out) {
 	return 1;
 }
-static int check_vnc_tls_mode(int s_in, int s_out) {
+static int check_vnc_tls_mode(int s_in, int s_out, double last_https) {
-	double waited = 0.0, dt = 0.01, start = dnow();
+	double waited = 0.0, waitmax = 1.4, dt = 0.01, start = dnow();
 	struct timeval tv;
 	int input = 0, i, n, ok;
 	int major, minor, sectype = -1;
@@ -3038,7 +3071,20 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
 		return 1;
 	}
-	while (waited < 1.1) {
+	if (last_https > 0.0) {
+		double now = dnow();
+		if (now < last_https + 5.0) {
+			waitmax = 20.0;
+		} else if (now < last_https + 15.0) {
+			waitmax = 10.0;
+		} else if (now < last_https + 30.0) {
+			waitmax = 5.0;
+		} else if (now < last_https + 60.0) {
+			waitmax = 2.5;
+		}
+	}
+	while (waited < waitmax) {
 		fd_set rfds;
 		FD_ZERO(&rfds);
 		FD_SET(s_in, &rfds);
@@ -3052,7 +3098,8 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
 		usleep((int) (1000 * 1000 * dt));
 		waited += dt;
 	}
-	rfbLog("check_vnc_tls_mode: waited: %f input: %s\n", dnow() - start, input ? "SSL Handshake" : "(future) RFB Handshake");
+	rfbLog("check_vnc_tls_mode: waited: %f / %.2f input: %s\n",
+	    dnow() - start, waitmax, input ? "SSL Handshake" : "(future) RFB Handshake");
 	if (input) {
 		/* got SSL client hello, can only assume normal SSL */
@@ -3079,7 +3126,7 @@ static int check_vnc_tls_mode(int s_in, int s_out) {
 		int i;
 		rfbLog("check_vnc_tls_mode: abnormal handshake: '%s'\nbytes: ", buf);
 		for (i=0; i < 12; i++) {
-			fprintf(stderr, "%x.", (int) buf[i]);
+			fprintf(stderr, "%d.", (unsigned char) buf[i]);
 		}
 		fprintf(stderr, "\n");
 		close(s_in); close(s_out);
@@ -3197,7 +3244,7 @@ static void ssl_timeout (int sig) {
 	exit(1);
 }
-static int ssl_init(int s_in, int s_out, int skip_vnc_tls) {
+static int ssl_init(int s_in, int s_out, int skip_vnc_tls, double last_https) {
 	unsigned char *sid = (unsigned char *) "x11vnc SID";
 	char *name = NULL;
 	int peerport = 0;
@@ -3220,7 +3267,7 @@ static int ssl_init(int s_in, int s_out, int skip_vnc_tls) {
 	if (skip_vnc_tls) {
 		rfbLog("SSL: ssl_helper[%d]: HTTPS mode, skipping check_vnc_tls_mode()\n",
 		    getpid());
-	} else if (!check_vnc_tls_mode(s_in, s_out)) {
+	} else if (!check_vnc_tls_mode(s_in, s_out, last_https)) {
 		return 0;
 	}
@@ -3419,7 +3466,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 	 * time), but we also want the timeout shorter at the beginning
 	 * in case the client went away.
 	 */
-	time_t start;
+	double start, now;
 	int tv_https_early = 60;
 	int tv_https_later = 20;
 	int tv_vnc_early = 40;
@@ -3442,13 +3489,14 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 		}
 		return;
 	}
 	if (getenv("SSL_DEBUG")) {
 		db = atoi(getenv("SSL_DEBUG"));
 	}
 	if (db) fprintf(stderr, "ssl_xfer begin\n");
-	start = time(NULL);
+	start = dnow();
 	if (is_https) {
 		tv_use = tv_https_early;
 	} else {
@@ -3567,7 +3615,8 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 			}
 		}
-		if (tv_cutover && time(NULL) > start + tv_cutover) {
+		now = dnow();
+		if (tv_cutover && now > start + tv_cutover) {
 			rfbLog("SSL: ssl_xfer[%d]: tv_cutover: %d\n", getpid(),
 			    tv_cutover);
 			tv_cutover = 0;
@@ -3589,6 +3638,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 			closing = 1;
 			tv_use = tv_closing;
 		}
 		tv.tv_sec  = tv_use;
 		tv.tv_usec = 0;
@@ -3603,11 +3653,13 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 		if (db > 1) fprintf(stderr, "nfd: %d\n", nfd);
+if (0) fprintf(stderr, "nfd[%d]: %d  w/r csock: %d %d s_in: %d %d\n", getpid(), nfd, FD_ISSET(csock, &wr), FD_ISSET(csock, &rd), FD_ISSET(s_out, &wr), FD_ISSET(s_in, &rd)); 
 		if (nfd < 0) {
 			rfbLog("SSL: ssl_xfer[%d]: select error: %d\n", getpid(), nfd);
 			perror("select");
 			/* connection finished */
-			return;	
+			goto done;	
 		}
 		if (nfd == 0) {
@@ -3623,7 +3675,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 			rfbLog("SSL: ssl_xfer[%d]: connection timedout. %d  tv_use: %d\n",
 			    getpid(), ndata, tv_use);
 			/* connection finished */
-			return;
+			goto done;
 		}
 		/* used to see if SSL_pending() should be checked: */
@@ -3638,12 +3690,12 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 			if (n < 0) {
 				if (errno != EINTR) {
 					/* connection finished */
-					return;
+					goto done;
 				}
 				/* proceed */
 			} else if (n == 0) {
 				/* connection finished XXX double check */
-				return;
+				goto done;
 			} else {
 				/* shift over the data in sbuf by n */
 				memmove(sbuf, sbuf + n, sptr - n);
@@ -3691,7 +3743,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 				} else if (err == SSL_ERROR_SYSCALL) {
 					if (n < 0 && errno != EINTR) {
 						/* connection finished */
-						return;
+						goto done;
 					}
 					/* proceed */
 				} else if (err == SSL_ERROR_ZERO_RETURN) {
@@ -3700,7 +3752,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 					s_wr = 0;
 				} else if (err == SSL_ERROR_SSL) {
 					/* connection finished */
-					return;
+					goto done;
 				}
 			}
 		}
@@ -3715,7 +3767,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 			if (n < 0) {
 				if (errno != EINTR) {
 					/* connection finished */
-					return;
+					goto done;
 				}
 				/* proceed */
 			} else if (n == 0) {
@@ -3760,7 +3812,7 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 					if (n < 0) {
 						if(errno != EINTR) {
 							/* connection finished */
-							return;
+							goto done;
 						}
 						/* proceed */
 					} else {
@@ -3783,11 +3835,19 @@ static void ssl_xfer(int csock, int s_in, int s_out, int is_https) {
 					}
 				} else if (err == SSL_ERROR_SSL) {
 					/* connection finished */
-					return;
+					goto done;
 				}
 			}
 		}
 	}
+	done:
+	rfbLog("SSL: ssl_xfer[%d]: closing sockets %d, %d, %d\n",
+			    getpid(), csock, s_in, s_out);
+	close(csock);
+	close(s_in);
+	close(s_out);
+	return;
 }
 void check_openssl(void) {

--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
 .\" This file was automatically generated from x11vnc -help output.
-.TH X11VNC "1" "May 2009" "x11vnc " "User Commands"
+.TH X11VNC "1" "June 2009" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.9.8, lastmod: 2009-05-18
+         version: 0.9.8, lastmod: 2009-06-14
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -4632,6 +4632,11 @@ wireframing that gives much better response than opaque
 window dragging.  Consider the \fB-nodragging\fR option if
 the problem is severe.
 .IP
+The env. var. X11VNC_REFLECT_PASSWORD can be set to
+the password needed to log into the vnc host server, or
+to "file:path_to_file" to indicate a file containing
+the password as its first line.
+.IP
 The VNC HOST mode implies \fB-shared.\fR  Use \fB-noshared\fR as
 a subsequent cmdline option to disable sharing.
 .PP

--- a/x11vnc/x11vnc.c
+++ b/x11vnc/x11vnc.c
@@ -4785,6 +4785,11 @@ if (0) fprintf(stderr, "XA: %s\n", getenv("XAUTHORITY"));
 	if (! quiet && xdamage_present && use_xdamage && ! raw_fb_str) {
 		rfbLog("X DAMAGE available on display, using it for polling hints.\n");
 		rfbLog("  To disable this behavior use: '-noxdamage'\n");
+		rfbLog("\n");
+		rfbLog("  Most compositing window managers like 'compiz' or 'beryl'\n");
+		rfbLog("  cause X DAMAGE to fail, and so you may not see any screen\n");
+		rfbLog("  updates via VNC.  Either disable 'compiz' (recommended) or\n");
+		rfbLog("  supply the x11vnc '-noxdamage' command line option.\n");
 	}
 	if (! quiet && wireframe && ! raw_fb_str) {

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -47,7 +47,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;
 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.8 lastmod: 2009-05-18";
+char lastmod[] = "0.9.8 lastmod: 2009-06-14";
 /* X display info */