From 576bd884a2f0efbbbb15ba26077428bf89fc812cbaaf83bb658a187f2aafba58 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Tue, 26 Mar 2019 10:06:02 +0000
Subject: [PATCH] Accepting request 688610 from home:yfjiang:branches:X11:XOrg

- Update with-vnc-key.sh to use only hostname for CN.
  The gnutls introduces gnutls_x509_crt_check_hostname2 in
  gnutls/lib/x509/hostname-verify.c#L159 to check if the given
  certificate's subject matches the given hostname.
  The function is used by the recent version of libvncclient which
  will fail to verify the certification if there is a mismatching
  between the connected hostname and the cert issuer's common name.
  https://github.com/LibVNC/libvncserver/commit/cc69ee9
  So the previous way to generate the vnc server's cert brings a
  complicated CN, making the client using libvncclient
  (e.g. vinagre, remmina) hard to adapt the hostname check. It is
  better to populate the hostname as the common name without extra
  strings.

OBS-URL: https://build.opensuse.org/request/show/688610
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=159
---
 tigervnc.changes | 21 +++++++++++++++++++++
 with-vnc-key.sh  |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/tigervnc.changes b/tigervnc.changes
index e652a37..c449f33 100644
--- a/tigervnc.changes
+++ b/tigervnc.changes
@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Mar 26 08:22:53 UTC 2019 - Yifan Jiang <yfjiang@suse.com>
+
+- Update with-vnc-key.sh to use only hostname for CN.
+
+  The gnutls introduces gnutls_x509_crt_check_hostname2 in
+  gnutls/lib/x509/hostname-verify.c#L159 to check if the given
+  certificate's subject matches the given hostname.
+
+  The function is used by the recent version of libvncclient which
+  will fail to verify the certification if there is a mismatching
+  between the connected hostname and the cert issuer's common name.
+
+  https://github.com/LibVNC/libvncserver/commit/cc69ee9
+
+  So the previous way to generate the vnc server's cert brings a
+  complicated CN, making the client using libvncclient
+  (e.g. vinagre, remmina) hard to adapt the hostname check. It is
+  better to populate the hostname as the common name without extra
+  strings.
+
 -------------------------------------------------------------------
 Thu Mar 21 09:16:51 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/with-vnc-key.sh b/with-vnc-key.sh
index 8da6bdc..39fc549 100644
--- a/with-vnc-key.sh
+++ b/with-vnc-key.sh
@@ -25,7 +25,7 @@ fi
     # If the cert file doesn't exist, generate it.
     if ! test -e $TLSCERT ; then
         # Keeping it short, because hostname could be long and max CN is 64 characters
-        CN="VNC service on `hostname`"
+        CN="`hostname`"
         CN=${CN:0:64}
         openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
         chown vnc:vnc $TLSCERT