diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java index 6014502..9b886b5 100644 --- a/java/com/tigervnc/rfb/CSecurityTLS.java +++ b/java/com/tigervnc/rfb/CSecurityTLS.java @@ -47,6 +47,9 @@ public class CSecurityTLS extends CSecurity { public static StringParameter x509crl = new StringParameter("x509crl", "X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer); + public static StringParameter x509autoaccept + = new StringParameter("x509autoaccept", + "X509 Certificate SHA-1 fingerprint", "", Configuration.ConfigurationObject.ConfViewer); private void initGlobal() { @@ -71,6 +74,7 @@ public class CSecurityTLS extends CSecurity { setDefaults(); cafile = x509ca.getData(); crlfile = x509crl.getData(); + certautoaccept = x509autoaccept.getData(); } public static String getDefaultCA() { @@ -247,34 +251,46 @@ public class CSecurityTLS extends CSecurity { try { tm.checkServerTrusted(chain, authType); } catch (CertificateException e) { - Object[] answer = {"Proceed", "Exit"}; - - StringBuilder message = new StringBuilder(); - message.append(e.getCause().getLocalizedMessage()); - message.append("\nContinue connecting to this host?"); + String fingerprint = null; try { + StringBuilder fingerprintBuilder = new StringBuilder(); + MessageDigest sha1 = MessageDigest.getInstance("SHA1"); sha1.update(chain[0].getEncoded()); - message.append("\nSHA-1 fingerprint: "); - for(byte B : sha1.digest()) { - message.append(Integer.toHexString(0xff & B)); - message.append(':'); + fingerprintBuilder.append(String.format("%02x", /*0xff & */B)); + fingerprintBuilder.append(':'); } - message.deleteCharAt(message.length() - 1); + fingerprintBuilder.deleteCharAt(fingerprintBuilder.length() - 1); + + fingerprint = fingerprintBuilder.toString(); } catch (NoSuchAlgorithmException noSuchAlgorithmException) { // No fingerprint then... } - int ret = JOptionPane.showOptionDialog(null, - message.toString(), - "Confirm certificate exception?", - JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, - null, answer, answer[0]); - if (ret == JOptionPane.NO_OPTION) - System.exit(1); + if(fingerprint == null || certautoaccept == null || !fingerprint.equalsIgnoreCase(certautoaccept)) { + Object[] answer = {"Proceed", "Exit"}; + + StringBuilder message = new StringBuilder(); + message.append(e.getCause().getLocalizedMessage()); + message.append("\nContinue connecting to this host?"); + if(fingerprint != null) { + message.append("\nSHA-1 fingerprint: "); + message.append(fingerprint); + message.append("\nBle: "); + message.append(certautoaccept); + } + + int ret = JOptionPane.showOptionDialog(null, + message.toString(), + "Confirm certificate exception?", + JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, + null, answer, answer[0]); + if (ret == JOptionPane.NO_OPTION) + System.exit(1); + } } catch (java.lang.Exception e) { throw new Exception(e.toString()); } @@ -301,7 +317,7 @@ public class CSecurityTLS extends CSecurity { private SSLEngineManager manager; private boolean anon; - private String cafile, crlfile; + private String cafile, crlfile, certautoaccept; private FdInStream is; private FdOutStream os; diff --git a/java/com/tigervnc/vncviewer/VncViewer.java b/java/com/tigervnc/vncviewer/VncViewer.java index cc21c2e..6786636 100644 --- a/java/com/tigervnc/vncviewer/VncViewer.java +++ b/java/com/tigervnc/vncviewer/VncViewer.java @@ -354,6 +354,8 @@ public class VncViewer extends javax.swing.JApplet parent.setFocusTraversalKeysEnabled(false); setLookAndFeel(); setBackground(Color.white); + + SecurityClient.setDefaults(); } private void getTimestamp() { @@ -375,6 +377,7 @@ public class VncViewer extends javax.swing.JApplet if (embed.getValue() && nViewers == 0) { alwaysShowServerDialog.setParam(false); Configuration.global().readAppletParams(this); + Configuration.viewer().readAppletParams(this); fullScreen.setParam(false); scalingFactor.setParam("100"); String host = getCodeBase().getHost();