Stefan Dirsch
576bd884a2
- Update with-vnc-key.sh to use only hostname for CN. The gnutls introduces gnutls_x509_crt_check_hostname2 in gnutls/lib/x509/hostname-verify.c#L159 to check if the given certificate's subject matches the given hostname. The function is used by the recent version of libvncclient which will fail to verify the certification if there is a mismatching between the connected hostname and the cert issuer's common name. https://github.com/LibVNC/libvncserver/commit/cc69ee9 So the previous way to generate the vnc server's cert brings a complicated CN, making the client using libvncclient (e.g. vinagre, remmina) hard to adapt the hostname check. It is better to populate the hostname as the common name without extra strings. OBS-URL: https://build.opensuse.org/request/show/688610 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=159
38 lines
1.0 KiB
Bash
38 lines
1.0 KiB
Bash
#!/bin/bash
|
|
|
|
# Wrapper that makes sure /etc/vnc/tls.{key,cert} exist before executing given command.
|
|
|
|
|
|
TLSKEY=/etc/vnc/tls.key
|
|
TLSCERT=/etc/vnc/tls.cert
|
|
|
|
|
|
if test -s $TLSKEY -a -s $TLSCERT; then
|
|
# Execute the command we were given.
|
|
exec "$@"
|
|
fi
|
|
|
|
(
|
|
# Wait for lock on the key file. We must not proceed while someone else is creating it.
|
|
flock 200
|
|
|
|
# If the key file doesn't exist or has zero size (because it doubles as lock), generate it.
|
|
if ! test -s $TLSKEY ; then
|
|
(umask 077 && openssl genrsa -out $TLSKEY 2048) >&200
|
|
chown vnc:vnc $TLSKEY
|
|
fi
|
|
|
|
# If the cert file doesn't exist, generate it.
|
|
if ! test -e $TLSCERT ; then
|
|
# Keeping it short, because hostname could be long and max CN is 64 characters
|
|
CN="`hostname`"
|
|
CN=${CN:0:64}
|
|
openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
|
|
chown vnc:vnc $TLSCERT
|
|
fi
|
|
|
|
) 200>>$TLSKEY 2>/dev/null
|
|
|
|
# Execute the command we were given.
|
|
exec "$@"
|