x11vnc: SSL fixes. Increase cert lifetimes to 2 years. Print ssl err msg.

d538e4e2 · runge · fa531979 · d538e4e2 · d538e4e2 · d538e4e2
Commit d538e4e2 authored May 12, 2008 by runge
7 changed files
--- a/x11vnc/README
+++ b/x11vnc/README

-x11vnc README file                         Date: Wed May  7 20:58:51 EDT 2008
+x11vnc README file                         Date: Sat May 10 12:54:59 EDT 2008

 The following information is taken from these URLs:

@@ -10341,8 +10341,8 @@ blah,blah...
   brief, run something like "x11vnc -sslGenCert server self:apache" then
   copy the resulting self:apache.crt file to conf/ssl.crt/server.crt and
   extract the private key part from self:apache.pem and paste it into
-   conf/ssl.key/server.key). Setting the env var REQ_ARGS='-days 730'
-   before running x11vnc will bump up the expiration date (2 years in
+   conf/ssl.key/server.key). Setting the env var REQ_ARGS='-days 1095'
+   before running x11vnc will bump up the expiration date (3 years in
   this case).

   Or you can use the standard methods described in the [27]Apache
@@ -12039,7 +12039,7 @@ x11vnc: a VNC server for real X displays
   Here are all of x11vnc command line options:
 % x11vnc -opts      (see below for -help long descriptions)

-x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-07
+x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-10

 x11vnc options:
  -display disp            -auth file               -N                     
@@ -12158,7 +12158,7 @@ libvncserver-tight-extension options:

 % x11vnc -help

-x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-07
+x11vnc: allow VNC connections to real X11 displays. 0.9.4 lastmod: 2008-05-10

 (type "x11vnc -opts" to just list the options.)

@@ -13709,8 +13709,8 @@ e

                       If you set the env. var REQ_ARGS='...' it will be
                       passed to openssl req(1).  A common use would be
-                       REQ_ARGS='-days 730' to bump up the expiration date
-                       (2 years in this case).
+                       REQ_ARGS='-days 1095' to bump up the expiration date
+                       (3 years in this case).

 -sslEncKey [pem]       Utility to encrypt an existing PEM file with a
                       passphrase you supply when prompted.  For that key to be

--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -1575,8 +1575,8 @@ void print_help(int mode) {
 "\n"
 "                       If you set the env. var REQ_ARGS='...' it will be\n"
 "                       passed to openssl req(1).  A common use would be\n"
-"                       REQ_ARGS='-days 730' to bump up the expiration date\n"
-"                       (2 years in this case).\n"
+"                       REQ_ARGS='-days 1095' to bump up the expiration date\n"
+"                       (3 years in this case).\n"
 "\n"
 "-sslEncKey [pem]       Utility to encrypt an existing PEM file with a\n"
 "                       passphrase you supply when prompted.  For that key to be\n"

--- a/x11vnc/selection.c
+++ b/x11vnc/selection.c
@@ -133,8 +133,6 @@ void selection_request(XEvent *ev, char *type) {
 		targets[0] = (Atom) xa_targets;
 		targets[1] = (Atom) XA_STRING;

-		data = (unsigned char *)str;
-
 		ret = XChangeProperty(ev->xselectionrequest.display,
 		    ev->xselectionrequest.requestor,
 		    ev->xselectionrequest.property,

--- a/x11vnc/sslhelper.c
+++ b/x11vnc/sslhelper.c
@@ -2130,8 +2130,16 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 			return 0;

 		} else if (rc < 0) {
+			unsigned long err;
+			int cnt = 0;

-			rfbLog("SSL: ssl_helper[%d]: SSL_accept() *FATAL: %d\n", getpid(), rc);
+			rfbLog("SSL: ssl_helper[%d]: SSL_accept() *FATAL: %d SSL FAILED\n", getpid(), rc);
+			while ((err = ERR_get_error()) != 0) {
+				rfbLog("SSL: %s\n", ERR_error_string(err, NULL));
+				if (cnt++ > 100) {
+					break;
+				}
+			}
 			return 0;

 		} else if (dnow() > start + 3.0) {
@@ -2174,9 +2182,18 @@ if (db > 1) fprintf(stderr, "ssl_init: 4\n");
 			}
 		} else {
 			rfbLog("SSL: ssl_helper[%d]: accepted client %s x509 cert is:\n", getpid(), name);
+#if LIBVNCSERVER_HAVE_X509_PRINT_EX_FP
 			X509_print_ex_fp(stderr, x, 0, XN_FLAG_MULTILINE);
+#endif
 			if (cr != NULL) {
+#if LIBVNCSERVER_HAVE_X509_PRINT_EX_FP
 				X509_print_ex_fp(cr, x, 0, XN_FLAG_MULTILINE);
+#else
+				rfbLog("** not compiled with libssl X509_print_ex_fp() function **\n");
+				if (users_list && strstr(users_list, "sslpeer=")) {
+					rfbLog("** -users sslpeer= will not work! **\n");
+				}
+#endif
 				fclose(cr);
 			}
 		}

--- a/x11vnc/ssltools.h
+++ b/x11vnc/ssltools.h
@@ -76,7 +76,7 @@ char genCA[] =
 "name_opt 	= ca_default		# Subject Name options\n"
 "cert_opt 	= ca_default		# Certificate field options\n"
 "\n"
-"default_days	= 365			# how long to certify for\n"
+"default_days	= 730			# how long to certify for\n"
 "default_crl_days= 30			# how long before next CRL\n"
 "default_md	= md5			# which md to use.\n"
 "preserve	= no			# keep passed DN ordering\n"
@@ -333,6 +333,13 @@ char genCert[] =
 "	echo \"Creating new x11vnc certificate and key for name: $type $name0\"\n"
 "	echo \"\"\n"
 "\n"
+"	req_args=$REQ_ARGS\n"
+"	if echo \"$req_args\" | grep 'days' > /dev/null; then\n"
+"		:\n"
+"	else\n"
+"		req_args=\"$req_args -days 730\"\n"
+"	fi\n"
+"\n"
 "	cnf=\"$DIR/tmp/cnf.$$\"\n"
 "	trap \"rm -f \\\"$cnf\\\"\" 0 1 2 15\n"
 "\n"
@@ -343,7 +350,7 @@ char genCert[] =
 "			direrror \"$DIR/CA/self.cnf.$type\"\n"
 "		fi\n"
 "		cat \"$DIR/CA/self.cnf.$type\" | sed -e \"s/%NAME/$name0/\" > \"$cnf\" || exit 1\n"
-"		\"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 -x509 $REQ_ARGS \\\n"
+"		\"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 -x509 $req_args \\\n"
 "			-keyout \"$DIR/$dest.key\" \\\n"
 "			-out    \"$DIR/$dest.crt\"\n"
 "	else\n"
@@ -351,7 +358,7 @@ char genCert[] =
 "			direrror \"$DIR/CA/ssl.cnf.$type\"\n"
 "		fi\n"
 "		cat \"$DIR/CA/ssl.cnf.$type\" | sed  -e \"s/%NAME/$name0/\" > \"$cnf\" || exit 1\n"
-"		\"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 $REQ_ARGS \\\n"
+"		\"$OPENSSL\" req -config \"$cnf\" -nodes -new -newkey rsa:2048 $req_args \\\n"
 "			-keyout \"$DIR/$dest.key\" \\\n"
 "			-out    \"$DIR/$dest.req\"\n"
 "	fi\n"

--- a/x11vnc/x11vnc.1
+++ b/x11vnc/x11vnc.1
@@ -2,7 +2,7 @@
 .TH X11VNC "1" "May 2008" "x11vnc " "User Commands"
 .SH NAME
 x11vnc - allow VNC connections to real X11 displays
-         version: 0.9.4, lastmod: 2008-05-07
+         version: 0.9.4, lastmod: 2008-05-10
 .SH SYNOPSIS
 .B x11vnc
 [OPTION]...
@@ -1787,8 +1787,8 @@ If you set the env. var REQ_ARGS='...' it will be
 passed to openssl 
 .IR req (1).
 A common use would be
-REQ_ARGS='-days 730' to bump up the expiration date
-(2 years in this case).
+REQ_ARGS='-days 1095' to bump up the expiration date
+(3 years in this case).
 .PP
 \fB-sslEncKey\fR \fI[pem]\fR
 .IP

--- a/x11vnc/x11vnc_defs.c
+++ b/x11vnc/x11vnc_defs.c
@@ -15,7 +15,7 @@ int xtrap_base_event_type = 0;
 int xdamage_base_event_type = 0;

 /*               date +'lastmod: %Y-%m-%d' */
-char lastmod[] = "0.9.4 lastmod: 2008-05-07";
+char lastmod[] = "0.9.4 lastmod: 2008-05-10";

 /* X display info */