Accepting request 316948 from home:michalsrb:branches:X11:XOrg

- Updated to tigervnc 1.5.0.
- Dropped no longer needed patches:
  * tigervnc-sf3495623.patch
  * u_syslog.patch
  * u_tigervnc-build-with-xserver-1.17.patch
- Use encryption everywhere. (fate#318936)
- Work with fltk 1.3.2.
  * N_tigervnc_revert_fltk_1_3_3_requirements.patch

OBS-URL: https://build.opensuse.org/request/show/316948
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=58

tigervnc-clean-pressed-key-on-exit.patch

@@ -1,8 +1,8 @@
-Index: tigervnc-1.4.1/vncviewer/DesktopWindow.cxx
+Index: tigervnc-1.5.0/vncviewer/DesktopWindow.cxx
 ===================================================================
---- tigervnc-1.4.1.orig/vncviewer/DesktopWindow.cxx
-+++ tigervnc-1.4.1/vncviewer/DesktopWindow.cxx
-@@ -188,6 +188,8 @@ DesktopWindow::~DesktopWindow()
+--- tigervnc-1.5.0.orig/vncviewer/DesktopWindow.cxx
++++ tigervnc-1.5.0/vncviewer/DesktopWindow.cxx
+@@ -177,6 +177,8 @@ DesktopWindow::~DesktopWindow()
  
    OptionsDialog::removeCallback(handleOptions);
  
@@ -11,11 +11,11 @@ Index: tigervnc-1.4.1/vncviewer/DesktopWindow.cxx
    // FLTK automatically deletes all child widgets, so we shouldn't touch
    // them ourselves here
  }
-Index: tigervnc-1.4.1/vncviewer/Viewport.cxx
+Index: tigervnc-1.5.0/vncviewer/Viewport.cxx
 ===================================================================
---- tigervnc-1.4.1.orig/vncviewer/Viewport.cxx
-+++ tigervnc-1.4.1/vncviewer/Viewport.cxx
-@@ -144,6 +144,11 @@ Viewport::Viewport(int w, int h, const r
+--- tigervnc-1.5.0.orig/vncviewer/Viewport.cxx
++++ tigervnc-1.5.0/vncviewer/Viewport.cxx
+@@ -139,6 +139,11 @@ Viewport::Viewport(int w, int h, const r
  
  Viewport::~Viewport()
  {
@@ -27,23 +27,23 @@ Index: tigervnc-1.4.1/vncviewer/Viewport.cxx
    // Unregister all timeouts in case they get a change tro trigger
    // again later when this object is already gone.
    Fl::remove_timeout(handlePointerTimeout, this);
-Index: tigervnc-1.4.1/vncviewer/vncviewer.cxx
+Index: tigervnc-1.5.0/vncviewer/vncviewer.cxx
 ===================================================================
---- tigervnc-1.4.1.orig/vncviewer/vncviewer.cxx
-+++ tigervnc-1.4.1/vncviewer/vncviewer.cxx
-@@ -88,6 +88,8 @@ char vncServerName[VNCSERVERNAMELEN] = {
- static bool exitMainloop = false;
- static const char *exitError = NULL;
+--- tigervnc-1.5.0.orig/vncviewer/vncviewer.cxx
++++ tigervnc-1.5.0/vncviewer/vncviewer.cxx
+@@ -107,6 +107,8 @@ static const char *about_text()
+   return buffer;
+ }
  
 +static CConn *cc;
 +
  void exit_vncviewer(const char *error)
  {
    // Prioritise the first error we get as that is probably the most
-@@ -114,6 +116,16 @@ static void CleanupSignalHandler(int sig
+@@ -158,6 +160,16 @@ static void CleanupSignalHandler(int sig
    // CleanupSignalHandler allows C++ object cleanup to happen because it calls
    // exit() rather than the default which is to abort.
-   vlog.info(_("CleanupSignalHandler called"));
+   vlog.info(_("Termination signal %d has been received. TigerVNC Viewer will now exit."), sig);
 +  delete cc;
 +  exit(1);
 +}
@@ -57,7 +57,7 @@ Index: tigervnc-1.4.1/vncviewer/vncviewer.cxx
    exit(1);
  }
  
-@@ -392,11 +404,19 @@ int main(int argc, char** argv)
+@@ -460,11 +472,19 @@ int main(int argc, char** argv)
  
    init_fltk();
  
@@ -77,7 +77,7 @@ Index: tigervnc-1.4.1/vncviewer/vncviewer.cxx
    Configuration::enableViewerParams();
  
    /* Load the default parameter settings */
-@@ -497,7 +517,7 @@ int main(int argc, char** argv)
+@@ -577,7 +597,7 @@ int main(int argc, char** argv)
  #endif
    }
  

tigervnc-newfbsize.patch

@@ -1,8 +1,8 @@
-Index: tigervnc-1.4.1/vncviewer/CConn.cxx
+Index: tigervnc-1.5.0/vncviewer/CConn.cxx
 ===================================================================
---- tigervnc-1.4.1.orig/vncviewer/CConn.cxx
-+++ tigervnc-1.4.1/vncviewer/CConn.cxx
-@@ -424,6 +424,8 @@ void CConn::dataRect(const Rect& r, int
+--- tigervnc-1.5.0.orig/vncviewer/CConn.cxx
++++ tigervnc-1.5.0/vncviewer/CConn.cxx
+@@ -427,6 +427,8 @@ void CConn::dataRect(const Rect& r, int
  
    if (encoding != encodingCopyRect)
      lastServerEncoding = encoding;
@@ -10,4 +10,4 @@ Index: tigervnc-1.4.1/vncviewer/CConn.cxx
 +    setDesktopSize( r.width(), r.height() );
  
    if (!Decoder::supported(encoding)) {
-     vlog.error(_("Unknown rect encoding %d"), encoding);
+     // TRANSLATORS: Refers to a VNC protocol encoding type

tigervnc-sf3495623.patch

@@ -1,23 +0,0 @@
-diff -ur tigervnc-1.3.0.orig/common/network/TcpSocket.cxx tigervnc-1.3.0/common/network/TcpSocket.cxx
---- tigervnc-1.3.0.orig/common/network/TcpSocket.cxx	2014-02-07 16:35:24.644388330 +0200
-+++ tigervnc-1.3.0/common/network/TcpSocket.cxx	2014-02-07 16:39:50.608078320 +0200
-@@ -31,6 +31,7 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
-+#include <limits.h>
- #include <netinet/in.h>
- #include <netinet/tcp.h>
- #include <netdb.h>
-@@ -450,7 +451,10 @@
- }
- 
- void TcpListener::getMyAddresses(std::list<char*>* result) {
--  const hostent* addrs = gethostbyname(0);
-+  char hostname[HOST_NAME_MAX];
-+  if (gethostname(hostname, HOST_NAME_MAX) < 0)
-+    throw rdr::SystemException("gethostname", errorNumber);
-+  const hostent* addrs = gethostbyname(hostname);
-   if (addrs == 0)
-     throw rdr::SystemException("gethostbyname", errorNumber);
-   if (addrs->h_addrtype != AF_INET)

tigervnc.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Jul 15 11:52:02 UTC 2015 - msrb@suse.com
+
+- Updated to tigervnc 1.5.0.
+- Dropped no longer needed patches:
+  * tigervnc-sf3495623.patch
+  * u_syslog.patch
+  * u_tigervnc-build-with-xserver-1.17.patch
+- Use encryption everywhere. (fate#318936)
+- Work with fltk 1.3.2.
+  * N_tigervnc_revert_fltk_1_3_3_requirements.patch
+
 -------------------------------------------------------------------
 Mon Apr 20 12:10:10 UTC 2015 - msrb@suse.com
 

tigervnc.spec

@@ -16,8 +16,14 @@
 #
 
 
+%define vncgroup vnc
+%define vncuser vnc
+
+%define tlskey  %{_sysconfdir}/vnc/tls.key
+%define tlscert %{_sysconfdir}/vnc/tls.cert
+
 Name:           tigervnc
-Version:        1.4.3
+Version:        1.5.0
 Release:        0
 Provides:       tightvnc = 1.3.9
 Obsoletes:      tightvnc < 1.3.9
@@ -92,7 +98,6 @@ Summary:        A high-performance, platform-neutral implementation of VNC
 License:        GPL-2.0 and MIT
 Group:          System/X11/Servers/XF86_4
 Source1:        https://github.com/TigerVNC/tigervnc/archive/v%{version}.tar.gz
-Source2:        index.vnc
 Source3:        vnc.xinetd
 Source4:        10-libvnc.conf
 Source5:        vnc-server.firewall
@@ -102,18 +107,15 @@ Source8:        vnc.reg
 Source9:        vncpasswd.arg
 Patch1:         tigervnc-newfbsize.patch
 Patch2:         tigervnc-clean-pressed-key-on-exit.patch
-Patch3:         tigervnc-sf3495623.patch
-Patch4:         u_tigervnc-dont-send-ascii-control-characters.patch
-Patch5:         u_tigervnc-ignore-epipe-on-write.patch
-Patch6:         n_tigervnc-date-time.patch
-Patch7:         U_include-vencrypt-only-if-any-subtype-present.patch
-Patch8:         u_tigervnc-use_preferred_mode.patch
-Patch9:         u_tigervnc-cve-2014-8240.patch
-Patch10:        u_tigervnc-build-with-xserver-1.17.patch
-Patch11:        u_terminate_instead_of_ignoring_restart.patch
-# Require and build against gnutls 3.x
-Patch12:        tigervnc-gnutls-3.4-required.patch
-Patch13:        u_syslog.patch
+Patch3:         u_tigervnc-ignore-epipe-on-write.patch
+Patch4:         n_tigervnc-date-time.patch
+Patch5:         U_include-vencrypt-only-if-any-subtype-present.patch
+Patch6:         u_tigervnc-use_preferred_mode.patch
+Patch7:         u_tigervnc-cve-2014-8240.patch
+Patch8:         u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch
+Patch9:         u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch
+Patch10:        u_tigervnc-add-autoaccept-parameter.patch
+Patch11:        N_tigervnc_revert_fltk_1_3_3_requirements.patch
 
 %description
 TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), 
@@ -123,6 +125,11 @@ it attempts to maintain a common look and feel and re-use components, where poss
 TigerVNC also provides extensions for advanced authentication methods and TLS encryption.
 
 %package -n xorg-x11-Xvnc
+# Needed to generate certificates
+Requires(post): openssl
+# Needed to serve java applet
+Requires:       python
+Requires:       python-pyOpenSSL
 Requires:       xinetd
 Requires:       xkeyboard-config
 Summary:        TigerVNC implementation of Xvnc
@@ -137,20 +144,18 @@ cp -r /usr/src/xserver/* unix/xserver/
 
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
-%patch4 -p0
+%patch3 -p0
+%patch4 -p1
 %patch5 -p0
-%patch6 -p1
-%patch7 -p0
-%patch8 -p0
+%patch6 -p0
+%patch7 -p1
+%patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
-%patch12 -p1
-%patch13 -p1
 
 pushd unix/xserver
-patch -p1 < ../xserver116.patch
+patch -p1 < ../xserver117.patch
 popd
 
 %build
@@ -203,7 +208,6 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/vnc/classes
 install -m755 VncViewer.jar $RPM_BUILD_ROOT%{_datadir}/vnc/classes
 popd
 
-install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/vnc/classes
 install -D -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/xinetd.d/vnc
 %ifnarch s390x
 install -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/X11/xorg.conf.d/10-libvnc.conf
@@ -218,22 +222,40 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer $RPM_BUILD_ROOT%{_bindir}/vncview
 ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/man1/vncviewer.1.gz
 %endif
 
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/vnc
+
 rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-*
 
 %find_lang '%{name}'
 
-%if 0%{?suse_version} >= 1315
+%pre -n xorg-x11-Xvnc
+getent group %{vncgroup} > /dev/null || groupadd -r %{vncgroup}
+getent passwd %{vncuser} > /dev/null || useradd -r -g %{vncgroup} -d /var/lib/empty -s /sbin/nologin -c "user for VNC" %{vncuser}
+
+%post -n xorg-x11-Xvnc
+if ! test -e %{tlskey} ; then
+  (umask 077 && openssl genrsa -out %{tlskey} 2048)
+  chown %{vncuser}:%{vncgroup} %{tlskey}
+fi
+if ! test -e %{tlscert} ; then
+  cn="Automatically generated certificate for the VNC service"
+  openssl req -new -x509 -extensions usr_cert \
+    -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
+  chown %{vncuser}:%{vncgroup} %{tlscert}
+fi
 
 %post
+%if 0%{?suse_version} >= 1315
 %_sbindir/update-alternatives \
     --install %{_bindir}/vncviewer vncviewer %{_bindir}/vncviewer-tigervnc 20 \
     --slave %{_mandir}/man1/vncviewer.1.gz  vncviewer.1.gz  %{_mandir}/man1/vncviewer-tigervnc.1.gz
+%endif
 
 %postun
+%if 0%{?suse_version} >= 1315
 if [ "$1" = 0 ] ; then
    "%_sbindir/update-alternatives" --remove vncviewer /usr/bin/vncviewer-tigervnc
 fi
-
 %endif
 
 %files -f %{name}.lang
@@ -298,4 +320,8 @@ fi
 %doc java/com/tigervnc/vncviewer/README
 %{_datadir}/vnc
 
+%dir %{_sysconfdir}/vnc
+%ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey}
+%ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert}
+
 %changelog

u_syslog.patch

@@ -1,196 +0,0 @@
-Author: Michal Srb <msrb@suse.com>
-Subject: Syslog logging
-Patch-Mainline: To be upstreamed
-
-Index: tigervnc-1.4.1/common/rfb/CMakeLists.txt
-===================================================================
---- tigervnc-1.4.1.orig/common/rfb/CMakeLists.txt
-+++ tigervnc-1.4.1/common/rfb/CMakeLists.txt
-@@ -29,6 +29,7 @@ set(RFB_SOURCES
-   Logger.cxx
-   Logger_file.cxx
-   Logger_stdio.cxx
-+  Logger_syslog.cxx
-   Password.cxx
-   PixelBuffer.cxx
-   PixelFormat.cxx
-Index: tigervnc-1.4.1/common/rfb/LogWriter.h
-===================================================================
---- tigervnc-1.4.1.orig/common/rfb/LogWriter.h
-+++ tigervnc-1.4.1/common/rfb/LogWriter.h
-@@ -68,10 +68,15 @@ namespace rfb {
-       }
-     }
- 
--    DEF_LOGFUNCTION(error, 0)
--    DEF_LOGFUNCTION(status, 10)
--    DEF_LOGFUNCTION(info, 30)
--    DEF_LOGFUNCTION(debug, 100)
-+    static const int LEVEL_ERROR  = 0;
-+    static const int LEVEL_STATUS = 10;
-+    static const int LEVEL_INFO   = 30;
-+    static const int LEVEL_DEBUG  = 100;
-+
-+    DEF_LOGFUNCTION(error, LEVEL_ERROR)
-+    DEF_LOGFUNCTION(status, LEVEL_STATUS)
-+    DEF_LOGFUNCTION(info, LEVEL_INFO)
-+    DEF_LOGFUNCTION(debug, LEVEL_DEBUG)
- 
-     // -=- DIAGNOSTIC & HELPER ROUTINES
- 
-Index: tigervnc-1.4.1/common/rfb/Logger_syslog.cxx
-===================================================================
---- /dev/null
-+++ tigervnc-1.4.1/common/rfb/Logger_syslog.cxx
-@@ -0,0 +1,65 @@
-+/* Copyright (C) 2015 TigerVNC
-+ *
-+ * This is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This software is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this software; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
-+ * USA.
-+ */
-+
-+// -=- Logger_syslog.cxx - Logger instance for a syslog
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <syslog.h>
-+
-+#include <rfb/util.h>
-+#include <rfb/Logger_syslog.h>
-+#include <rfb/LogWriter.h>
-+#include <rfb/Threading.h>
-+
-+using namespace rfb;
-+
-+
-+Logger_Syslog::Logger_Syslog(const char* loggerName)
-+  : Logger(loggerName)
-+{
-+  openlog("Xvnc", LOG_CONS | LOG_PID, LOG_USER);
-+}
-+
-+Logger_Syslog::~Logger_Syslog()
-+{
-+  closelog();
-+}
-+
-+void Logger_Syslog::write(int level, const char *logname, const char *message)
-+{
-+  // Convert our priority level into syslog level
-+  int priority;
-+  if (level >= LogWriter::LEVEL_DEBUG) {
-+    priority = LOG_DEBUG;
-+  } else if (level >= LogWriter::LEVEL_INFO) {
-+    priority = LOG_INFO;
-+  } else if (level >= LogWriter::LEVEL_STATUS) {
-+    priority = LOG_NOTICE;
-+  } else {
-+    priority = LOG_ERR;
-+  }
-+
-+  syslog(priority, "%s: %s", logname, message);
-+}
-+
-+static Logger_Syslog logger("syslog");
-+
-+void rfb::initSyslogLogger() {
-+  logger.registerLogger();
-+}
-Index: tigervnc-1.4.1/common/rfb/Logger_syslog.h
-===================================================================
---- /dev/null
-+++ tigervnc-1.4.1/common/rfb/Logger_syslog.h
-@@ -0,0 +1,40 @@
-+/* Copyright (C) 2015 TigerVNC
-+ *
-+ * This is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This software is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this software; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
-+ * USA.
-+ */
-+
-+// -=- Logger_syslog - log to syslog
-+
-+#ifndef __RFB_LOGGER_SYSLOG_H__
-+#define __RFB_LOGGER_SYSLOG_H__
-+
-+#include <time.h>
-+#include <rfb/Logger.h>
-+
-+namespace rfb {
-+
-+  class Logger_Syslog : public Logger {
-+  public:
-+    Logger_Syslog(const char* loggerName);
-+    virtual ~Logger_Syslog();
-+
-+    virtual void write(int level, const char *logname, const char *message);
-+  };
-+
-+  void initSyslogLogger();
-+};
-+
-+#endif
-Index: tigervnc-1.4.1/unix/xserver/hw/vnc/Xvnc.man
-===================================================================
---- tigervnc-1.4.1.orig/unix/xserver/hw/vnc/Xvnc.man
-+++ tigervnc-1.4.1/unix/xserver/hw/vnc/Xvnc.man
-@@ -274,11 +274,11 @@ stop non-SSH connections from any other
- .
- .TP
- .B \-Log \fIlogname\fP:\fIdest\fP:\fIlevel\fP
--Configures the debug log settings.  \fIdest\fP can currently be \fBstderr\fP or
--\fBstdout\fP, and \fIlevel\fP is between 0 and 100, 100 meaning most verbose
--output.  \fIlogname\fP is usually \fB*\fP meaning all, but you can target a
--specific source file if you know the name of its "LogWriter".  Default is
--\fB*:stderr:30\fP.
-+Configures the debug log settings.  \fIdest\fP can currently be \fBstderr\fP,
-+\fBstdout\fP or \fBsyslog\fP, and \fIlevel\fP is between 0 and 100, 100 meaning
-+most verbose output.  \fIlogname\fP is usually \fB*\fP meaning all, but you can
-+target a specific source file if you know the name of its "LogWriter".  Default
-+is \fB*:stderr:30\fP.
- .
- .TP
- .B \-RemapKeys \fImapping
-Index: tigervnc-1.4.1/unix/xserver/hw/vnc/xvnc.cc
-===================================================================
---- tigervnc-1.4.1.orig/unix/xserver/hw/vnc/xvnc.cc
-+++ tigervnc-1.4.1/unix/xserver/hw/vnc/xvnc.cc
-@@ -34,6 +34,7 @@ from the X Consortium.
- 
- #include <rfb/Configuration.h>
- #include <rfb/Logger_stdio.h>
-+#include <rfb/Logger_syslog.h>
- #include <rfb/LogWriter.h>
- #include <network/TcpSocket.h>
- #include "vncExtInit.h"
-@@ -376,6 +377,7 @@ ddxProcessArgument(int argc, char *argv[
- 	vfbInitializePixmapDepths();
- 	firstTime = FALSE;
- 	rfb::initStdIOLoggers();
-+	rfb::initSyslogLogger();
- 	rfb::LogWriter::setLogParams("*:stderr:30");
- 	rfb::Configuration::enableServerParams();
-     }

u_tigervnc-add-autoaccept-parameter.patch

@@ -0,0 +1,116 @@
+diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
+index 6014502..9b886b5 100644
+--- a/java/com/tigervnc/rfb/CSecurityTLS.java
++++ b/java/com/tigervnc/rfb/CSecurityTLS.java
+@@ -47,6 +47,9 @@ public class CSecurityTLS extends CSecurity {
+   public static StringParameter x509crl
+   = new StringParameter("x509crl",
+                         "X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer);
++  public static StringParameter x509autoaccept
++  = new StringParameter("x509autoaccept",
++                        "X509 Certificate SHA-1 fingerprint", "", Configuration.ConfigurationObject.ConfViewer);
+ 
+   private void initGlobal()
+   {
+@@ -71,6 +74,7 @@ public class CSecurityTLS extends CSecurity {
+     setDefaults();
+     cafile = x509ca.getData();
+     crlfile = x509crl.getData();
++    certautoaccept = x509autoaccept.getData();
+   }
+ 
+   public static String getDefaultCA() {
+@@ -247,34 +251,46 @@ public class CSecurityTLS extends CSecurity {
+       try {
+ 	      tm.checkServerTrusted(chain, authType);
+       } catch (CertificateException e) {
+-        Object[] answer = {"Proceed", "Exit"};
+-
+-        StringBuilder message = new StringBuilder();
+-        message.append(e.getCause().getLocalizedMessage());
+-        message.append("\nContinue connecting to this host?");
++        String fingerprint = null;
+ 
+         try {
++          StringBuilder fingerprintBuilder = new StringBuilder();
++
+           MessageDigest sha1 = MessageDigest.getInstance("SHA1");
+           sha1.update(chain[0].getEncoded());
+ 
+-          message.append("\nSHA-1 fingerprint: ");
+-
+           for(byte B : sha1.digest()) {
+-            message.append(Integer.toHexString(0xff & B));
+-            message.append(':');
++            fingerprintBuilder.append(String.format("%02x", /*0xff & */B));
++            fingerprintBuilder.append(':');
+           }
+-          message.deleteCharAt(message.length() - 1);
++          fingerprintBuilder.deleteCharAt(fingerprintBuilder.length() - 1);
++
++          fingerprint = fingerprintBuilder.toString();
+         } catch (NoSuchAlgorithmException noSuchAlgorithmException) {
+           // No fingerprint then...
+         }
+ 
+-        int ret = JOptionPane.showOptionDialog(null,
+-          message.toString(),
+-          "Confirm certificate exception?",
+-          JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
+-          null, answer, answer[0]);
+-        if (ret == JOptionPane.NO_OPTION)
+-          System.exit(1);
++        if(fingerprint == null || certautoaccept == null || !fingerprint.equalsIgnoreCase(certautoaccept)) {
++          Object[] answer = {"Proceed", "Exit"};
++
++          StringBuilder message = new StringBuilder();
++          message.append(e.getCause().getLocalizedMessage());
++          message.append("\nContinue connecting to this host?");
++          if(fingerprint != null) {
++            message.append("\nSHA-1 fingerprint: ");
++            message.append(fingerprint);
++            message.append("\nBle: ");
++            message.append(certautoaccept);
++          }
++
++          int ret = JOptionPane.showOptionDialog(null,
++            message.toString(),
++            "Confirm certificate exception?",
++            JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
++            null, answer, answer[0]);
++          if (ret == JOptionPane.NO_OPTION)
++            System.exit(1);
++        }
+       } catch (java.lang.Exception e) {
+         throw new Exception(e.toString());
+       }
+@@ -301,7 +317,7 @@ public class CSecurityTLS extends CSecurity {
+   private SSLEngineManager manager;
+   private boolean anon;
+ 
+-  private String cafile, crlfile;
++  private String cafile, crlfile, certautoaccept;
+   private FdInStream is;
+   private FdOutStream os;
+ 
+diff --git a/java/com/tigervnc/vncviewer/VncViewer.java b/java/com/tigervnc/vncviewer/VncViewer.java
+index cc21c2e..6786636 100644
+--- a/java/com/tigervnc/vncviewer/VncViewer.java
++++ b/java/com/tigervnc/vncviewer/VncViewer.java
+@@ -354,6 +354,8 @@ public class VncViewer extends javax.swing.JApplet
+     parent.setFocusTraversalKeysEnabled(false);
+     setLookAndFeel();
+     setBackground(Color.white);
++
++    SecurityClient.setDefaults();
+   }
+ 
+   private void getTimestamp() {
+@@ -375,6 +377,7 @@ public class VncViewer extends javax.swing.JApplet
+     if (embed.getValue() && nViewers == 0) {
+       alwaysShowServerDialog.setParam(false);
+       Configuration.global().readAppletParams(this);
++      Configuration.viewer().readAppletParams(this);
+       fullScreen.setParam(false);
+       scalingFactor.setParam("100");
+       String host = getCodeBase().getHost();

u_tigervnc-add-cadata-parameter.patch

@@ -0,0 +1,116 @@
+diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
+index 6014502..9b886b5 100644
+--- a/java/com/tigervnc/rfb/CSecurityTLS.java
++++ b/java/com/tigervnc/rfb/CSecurityTLS.java
+@@ -47,6 +47,9 @@ public class CSecurityTLS extends CSecurity {
+   public static StringParameter x509crl
+   = new StringParameter("x509crl",
+                         "X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer);
++  public static StringParameter x509autoaccept
++  = new StringParameter("x509autoaccept",
++                        "X509 Certificate SHA-1 fingerprint", "", Configuration.ConfigurationObject.ConfViewer);
+ 
+   private void initGlobal()
+   {
+@@ -71,6 +74,7 @@ public class CSecurityTLS extends CSecurity {
+     setDefaults();
+     cafile = x509ca.getData();
+     crlfile = x509crl.getData();
++    certautoaccept = x509autoaccept.getData();
+   }
+ 
+   public static String getDefaultCA() {
+@@ -247,34 +251,46 @@ public class CSecurityTLS extends CSecurity {
+       try {
+ 	      tm.checkServerTrusted(chain, authType);
+       } catch (CertificateException e) {
+-        Object[] answer = {"Proceed", "Exit"};
+-
+-        StringBuilder message = new StringBuilder();
+-        message.append(e.getCause().getLocalizedMessage());
+-        message.append("\nContinue connecting to this host?");
++        String fingerprint = null;
+ 
+         try {
++          StringBuilder fingerprintBuilder = new StringBuilder();
++
+           MessageDigest sha1 = MessageDigest.getInstance("SHA1");
+           sha1.update(chain[0].getEncoded());
+ 
+-          message.append("\nSHA-1 fingerprint: ");
+-
+           for(byte B : sha1.digest()) {
+-            message.append(Integer.toHexString(0xff & B));
+-            message.append(':');
++            fingerprintBuilder.append(String.format("%02x", /*0xff & */B));
++            fingerprintBuilder.append(':');
+           }
+-          message.deleteCharAt(message.length() - 1);
++          fingerprintBuilder.deleteCharAt(fingerprintBuilder.length() - 1);
++
++          fingerprint = fingerprintBuilder.toString();
+         } catch (NoSuchAlgorithmException noSuchAlgorithmException) {
+           // No fingerprint then...
+         }
+ 
+-        int ret = JOptionPane.showOptionDialog(null,
+-          message.toString(),
+-          "Confirm certificate exception?",
+-          JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
+-          null, answer, answer[0]);
+-        if (ret == JOptionPane.NO_OPTION)
+-          System.exit(1);
++        if(fingerprint == null || certautoaccept == null || !fingerprint.equalsIgnoreCase(certautoaccept)) {
++          Object[] answer = {"Proceed", "Exit"};
++
++          StringBuilder message = new StringBuilder();
++          message.append(e.getCause().getLocalizedMessage());
++          message.append("\nContinue connecting to this host?");
++          if(fingerprint != null) {
++            message.append("\nSHA-1 fingerprint: ");
++            message.append(fingerprint);
++            message.append("\nBle: ");
++            message.append(certautoaccept);
++          }
++
++          int ret = JOptionPane.showOptionDialog(null,
++            message.toString(),
++            "Confirm certificate exception?",
++            JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
++            null, answer, answer[0]);
++          if (ret == JOptionPane.NO_OPTION)
++            System.exit(1);
++        }
+       } catch (java.lang.Exception e) {
+         throw new Exception(e.toString());
+       }
+@@ -301,7 +317,7 @@ public class CSecurityTLS extends CSecurity {
+   private SSLEngineManager manager;
+   private boolean anon;
+ 
+-  private String cafile, crlfile;
++  private String cafile, crlfile, certautoaccept;
+   private FdInStream is;
+   private FdOutStream os;
+ 
+diff --git a/java/com/tigervnc/vncviewer/VncViewer.java b/java/com/tigervnc/vncviewer/VncViewer.java
+index cc21c2e..6786636 100644
+--- a/java/com/tigervnc/vncviewer/VncViewer.java
++++ b/java/com/tigervnc/vncviewer/VncViewer.java
+@@ -354,6 +354,8 @@ public class VncViewer extends javax.swing.JApplet
+     parent.setFocusTraversalKeysEnabled(false);
+     setLookAndFeel();
+     setBackground(Color.white);
++
++    SecurityClient.setDefaults();
+   }
+ 
+   private void getTimestamp() {
+@@ -375,6 +377,7 @@ public class VncViewer extends javax.swing.JApplet
+     if (embed.getValue() && nViewers == 0) {
+       alwaysShowServerDialog.setParam(false);
+       Configuration.global().readAppletParams(this);
++      Configuration.viewer().readAppletParams(this);
+       fullScreen.setParam(false);
+       scalingFactor.setParam("100");
+       String host = getCodeBase().getHost();

u_tigervnc-build-with-xserver-1.17.patch

@@ -1,52 +0,0 @@
-Author: Michal Srb <msrb@suse.com>
-Subject: Build with xserver 1.17.x.
-
-Do not use removed xalloc&xfree.
-Add 1.17.x to supported list.
-
-Index: tigervnc-1.4.1/unix/xserver/hw/vnc/xorg-version.h
-===================================================================
---- tigervnc-1.4.1.orig/unix/xserver/hw/vnc/xorg-version.h
-+++ tigervnc-1.4.1/unix/xserver/hw/vnc/xorg-version.h
-@@ -48,8 +48,10 @@
- #define XORG 115
- #elif XORG_VERSION_CURRENT < ((1 * 10000000) + (16 * 100000) + (99 * 1000))
- #define XORG 116
-+#elif XORG_VERSION_CURRENT < ((1 * 10000000) + (17 * 100000) + (99 * 1000))
-+#define XORG 117
- #else
--#error "X.Org newer than 1.16 is not supported"
-+#error "X.Org newer than 1.17 is not supported"
- #endif
- 
- #endif
-Index: tigervnc-1.4.1/unix/xserver/hw/vnc/xvnc.cc
-===================================================================
---- tigervnc-1.4.1.orig/unix/xserver/hw/vnc/xvnc.cc
-+++ tigervnc-1.4.1/unix/xserver/hw/vnc/xvnc.cc
-@@ -717,9 +717,9 @@ vfbInstallColormap(ColormapPtr pmap)
- 	entries = pmap->pVisual->ColormapEntries;
- 	pVisual = pmap->pVisual;
- 
--	ppix = (Pixel *)xalloc(entries * sizeof(Pixel));
--	prgb = (xrgb *)xalloc(entries * sizeof(xrgb));
--	defs = (xColorItem *)xalloc(entries * sizeof(xColorItem));
-+	ppix = (Pixel *)malloc(entries * sizeof(Pixel));
-+	prgb = (xrgb *)malloc(entries * sizeof(xrgb));
-+	defs = (xColorItem *)malloc(entries * sizeof(xColorItem));
- 
- 	for (i = 0; i < entries; i++)  ppix[i] = i;
- 	/* XXX truecolor */
-@@ -738,9 +738,9 @@ vfbInstallColormap(ColormapPtr pmap)
- 	}
- 	(*pmap->pScreen->StoreColors)(pmap, entries, defs);
- 	
--	xfree(ppix);
--	xfree(prgb);
--	xfree(defs);
-+	free(ppix);
-+	free(prgb);
-+	free(defs);
-     }
- }
- 

u_tigervnc-display-SHA-1-fingerprint-of-untrusted-certificate.patch

@@ -0,0 +1,48 @@
+From af09e89d54b57649cf60363d03f84d129baecd27 Mon Sep 17 00:00:00 2001
+From: Michal Srb <michalsrb@gmail.com>
+Date: Tue, 7 Jul 2015 02:38:18 +0300
+Subject: [PATCH 2/2] Display SHA-1 fingerprint of untrusted certificate in
+ java client.
+
+---
+ java/com/tigervnc/rfb/CSecurityTLS.java | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
+index 7633f08..6014502 100644
+--- a/java/com/tigervnc/rfb/CSecurityTLS.java
++++ b/java/com/tigervnc/rfb/CSecurityTLS.java
+@@ -248,9 +248,28 @@ public class CSecurityTLS extends CSecurity {
+ 	      tm.checkServerTrusted(chain, authType);
+       } catch (CertificateException e) {
+         Object[] answer = {"Proceed", "Exit"};
++
++        StringBuilder message = new StringBuilder();
++        message.append(e.getCause().getLocalizedMessage());
++        message.append("\nContinue connecting to this host?");
++
++        try {
++          MessageDigest sha1 = MessageDigest.getInstance("SHA1");
++          sha1.update(chain[0].getEncoded());
++
++          message.append("\nSHA-1 fingerprint: ");
++
++          for(byte B : sha1.digest()) {
++            message.append(Integer.toHexString(0xff & B));
++            message.append(':');
++          }
++          message.deleteCharAt(message.length() - 1);
++        } catch (NoSuchAlgorithmException noSuchAlgorithmException) {
++          // No fingerprint then...
++        }
++
+         int ret = JOptionPane.showOptionDialog(null,
+-          e.getCause().getLocalizedMessage()+"\n"+
+-          "Continue connecting to this host?",
++          message.toString(),
+           "Confirm certificate exception?",
+           JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
+           null, answer, answer[0]);
+-- 
+2.1.4
+

u_tigervnc-use-default-trust-manager-in-java-viewer-if-custom.patch

@@ -0,0 +1,60 @@
+From d6d847633660abb99764192f73da7be5adf3da9c Mon Sep 17 00:00:00 2001
+From: Michal Srb <michalsrb@gmail.com>
+Date: Tue, 7 Jul 2015 02:09:21 +0300
+Subject: [PATCH 1/2] Use default trust manager in java viewer if custom CA is
+ not specified.
+
+---
+ java/com/tigervnc/rfb/CSecurityTLS.java | 34 +++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
+index 6f799bb..7633f08 100644
+--- a/java/com/tigervnc/rfb/CSecurityTLS.java
++++ b/java/com/tigervnc/rfb/CSecurityTLS.java
+@@ -207,24 +207,26 @@ public class CSecurityTLS extends CSecurity {
+       try {
+         ks.load(null, null);
+         File cacert = new File(cafile);
+-        if (!cacert.exists() || !cacert.canRead())
+-          return;
+-        InputStream caStream = new FileInputStream(cafile);
+-        X509Certificate ca = (X509Certificate)cf.generateCertificate(caStream);
+-        ks.setCertificateEntry("CA", ca);
+-        PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector());
+-        File crlcert = new File(crlfile);
+-        if (!crlcert.exists() || !crlcert.canRead()) {
+-          params.setRevocationEnabled(false);
++        if (!cacert.exists() || !cacert.canRead()) {
++          tmf.init((KeyStore)null); // Use default trust manager
+         } else {
+-          InputStream crlStream = new FileInputStream(crlfile);
+-          Collection<? extends CRL> crls = cf.generateCRLs(crlStream);
+-          CertStoreParameters csp = new CollectionCertStoreParameters(crls);
+-          CertStore store = CertStore.getInstance("Collection", csp);
+-          params.addCertStore(store);
+-          params.setRevocationEnabled(true);
++          InputStream caStream = new FileInputStream(cafile);
++          X509Certificate ca = (X509Certificate)cf.generateCertificate(caStream);
++          ks.setCertificateEntry("CA", ca);
++          PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector());
++          File crlcert = new File(crlfile);
++          if (!crlcert.exists() || !crlcert.canRead()) {
++            params.setRevocationEnabled(false);
++          } else {
++            InputStream crlStream = new FileInputStream(crlfile);
++            Collection<? extends CRL> crls = cf.generateCRLs(crlStream);
++            CertStoreParameters csp = new CollectionCertStoreParameters(crls);
++            CertStore store = CertStore.getInstance("Collection", csp);
++            params.addCertStore(store);
++            params.setRevocationEnabled(true);
++          }
++          tmf.init(new CertPathTrustManagerParameters(params));
+         }
+-        tmf.init(new CertPathTrustManagerParameters(params));
+       } catch (java.io.FileNotFoundException e) {
+         vlog.error(e.toString());
+       } catch (java.io.IOException e) {
+-- 
+2.1.4
+

u_tigervnc-use_preferred_mode.patch

@@ -6,22 +6,21 @@ References: bnc#896540
 If there is any resolution specified with -geometry or -screen parameters,
 report this resolution as preferred one. That way desktop environments won't
 change it immediately after start.
-Index: unix/xserver/hw/vnc/xvnc.cc
+Index: unix/xserver/hw/vnc/xvnc.c
 ===================================================================
---- unix/xserver/hw/vnc/xvnc.cc	(revision 5186)
-+++ unix/xserver/hw/vnc/xvnc.cc	(working copy)
-@@ -1319,12 +1319,22 @@
-     /* Make sure the CRTC has this output set */
+--- unix/xserver/hw/vnc/xvnc.c.orig
++++ unix/xserver/hw/vnc/xvnc.c
+@@ -1296,12 +1296,24 @@ static RRCrtcPtr vncRandRCrtcCreate(Scre
      vncRandRCrtcSet(pScreen, crtc, NULL, 0, 0, RR_Rotate_0, 1, &output);
  
--    /* Populate a list of default modes */
--    RRModePtr modes[sizeof(vncRandRWidths)/sizeof(*vncRandRWidths)];
--    int num_modes;
-+    /* Populate a list of modes */
-+    RRModePtr modes[sizeof(vncRandRWidths)/sizeof(*vncRandRWidths) + 1];
-+    int num_modes = 0;
+     /* Populate a list of default modes */
+-    modes = malloc(sizeof(RRModePtr)*sizeof(vncRandRWidths)/sizeof(*vncRandRWidths));
++    modes = malloc(sizeof(RRModePtr)*sizeof(vncRandRWidths)/sizeof(*vncRandRWidths) + 1);
+     if (modes == NULL)
+         return NULL;
  
--    num_modes = 0;
+     num_modes = 0;
++
 +    /* Start with requested mode */
 +    mode = vncRandRModeGet(pScreen->width, pScreen->height);
 +    if(mode != NULL) {
@@ -30,19 +29,19 @@ Index: unix/xserver/hw/vnc/xvnc.cc
 +    }
 +
 +    /* Add default modes */
-     for (int i = 0;i < sizeof(vncRandRWidths)/sizeof(*vncRandRWidths);i++) {
+     for (i = 0;i < sizeof(vncRandRWidths)/sizeof(*vncRandRWidths);i++) {
 +        if (vncRandRWidths[i] == pScreen->width && vncRandRHeights[i] == pScreen->height)
 +            continue;
 +
          mode = vncRandRModeGet(vncRandRWidths[i], vncRandRHeights[i]);
          if (mode != NULL) {
              modes[num_modes] = mode;
-@@ -1332,7 +1342,7 @@
+@@ -1309,7 +1321,7 @@ static RRCrtcPtr vncRandRCrtcCreate(Scre
          }
      }
  
 -    RROutputSetModes(output, modes, num_modes, 0);
 +    RROutputSetModes(output, modes, num_modes, 1);
  
-     return crtc;
- }
+     free(modes);
+ 

v1.4.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0b2603db2b32dfd6e48f6f59618bd9819d187bfbb0c16218637d074a69756824
-size 1372873

v1.5.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7b0ec1a85d708f72fee17326bd1f894b9132df089226561306f4c2ef19d7df25
+size 1268682

vnc.xinetd

@@ -8,9 +8,9 @@ service vnc1
 	socket_type	= stream
 	protocol	= tcp
 	wait		= no
-	user		= nobody
+	user		= vnc
 	server		= /usr/bin/Xvnc
-	server_args	= -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes none -log *:syslog:30
+	server_args	= -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -23,9 +23,9 @@ service vnc2
 	socket_type	= stream
 	protocol	= tcp
 	wait		= no
-	user		= nobody
+	user		= vnc
 	server		= /usr/bin/Xvnc
-	server_args	= -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes none -log *:syslog:30
+	server_args	= -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -38,9 +38,9 @@ service vnc3
 	socket_type	= stream
 	protocol	= tcp
 	wait		= no
-	user		= nobody
+	user		= vnc
 	server		= /usr/bin/Xvnc
-	server_args	= -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes none -log *:syslog:30
+	server_args	= -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -53,7 +53,7 @@ service vnchttpd1
 	socket_type	= stream
 	protocol	= tcp
 	wait		= no
-	user		= nobody
+	user		= vnc
 	server		= /usr/bin/vnc_inetd_httpd
 	server_args	= 1024 768 5901
 	disable		= yes
@@ -68,7 +68,7 @@ service vnchttpd2
 	socket_type	= stream
 	protocol	= tcp
 	wait		= no
-	user		= nobody
+	user		= vnc
 	server		= /usr/bin/vnc_inetd_httpd
 	server_args	= 1280 1024 5902
 	disable		= yes
@@ -83,7 +83,7 @@ service vnchttpd3
 	socket_type	= stream
 	protocol	= tcp
 	wait		= no
-	user		= nobody
+	user		= vnc
 	server		= /usr/bin/vnc_inetd_httpd
 	server_args	= 1600 1200 5903
 	disable		= yes

vnc_inetd_httpd

@@ -1,62 +1,114 @@
-#!/bin/bash
-read request url httptype || exit 0
-url="${url/
/}"
-httptype="${httptype/
/}"
+#!/usr/bin/env python
 
-width=$1
-height=$2
-port=$3
+# This is simple stupid WWW server intended to serve VNC java applet.
+# It is made to be called by xinetd.
+# It handles both HTTP and HTTPS on the same port. If HTTPS is allowed, any HTTP requests is responded with redirect to HTTPS.
 
-if [ "x$httptype" != "x" ]; then
-	line="x"
-	while [ -n "$line" ]; do
-		read line || exit 0
-		line="${line/
/}"
-	done
-fi
-case "$url" in
-/)
-	# We need the size of the display for the current applet.
-	# The VNC menubar is 20 pixels high ...
-	height=$((height+20))
-	ctype="text/html"
-	content="
-<HTML><HEAD><TITLE>Remote Desktop</TITLE></HEAD>
-<BODY>
-<APPLET CODE=\"com.tigervnc.vncviewer.VncViewer\" ARCHIVE=\"VncViewer.jar\" WIDTH=\"$width\" HEIGHT=\"$height\">
-	<PARAM name=\"Port\" value=\"$port\">
-	<param name=\"Embed\" value=\"true\">
-	<param name=\"AlwaysShowServerDialog\" value=\"false\">
-</APPLET>
-</BODY></HTML>"
-	;;
-*.jar|*.class)
-	# Use basename to make sure we have just a filename, not ../../...
-	url=${url/.*\/}
-	ctype="application/octet-stream"
-	cfile="/usr/share/vnc/classes/$url"
-	content="FILE"
-	;;
-esac
+import re
+import sys
+import socket
+import time
 
-if [ "x$httptype" != "x" ]; then
-	echo "HTTP/1.0 200 OK"
-	echo "Content-Type: $ctype"
-	if [ "$content" == "FILE" ]; then
-		clen=`wc -c "$cfile"`
-	else
-		clen=`echo "$content"|wc -c`
-	fi
-	echo "Content-Length: $clen"
-	echo "Connection: close"
-	echo
-fi
+from OpenSSL import SSL, crypto
 
-if [ "$request" == "GET" ]; then
-	if [ "$content" == "FILE" ]; then
-		cat "$cfile"
-	else
-		echo "$content"
-	fi
-fi
-exit 0
+TLS_KEY = "/etc/vnc/tls.key"
+TLS_CERT = "/etc/vnc/tls.cert"
+JAR_FILE = "/usr/share/vnc/classes/VncViewer.jar"
+TIMEOUT = 10
+
+WIDTH = int(sys.argv[1])
+HEIGHT = int(sys.argv[2])
+VNC_PORT = int(sys.argv[3])
+USE_HTTPS = not (len(sys.argv) >= 5 and sys.argv[4] == "NoHTTPS")
+
+
+# Take the stdin as our input socket (given from xinetd)
+conn = sock = socket.fromfd(sys.stdin.fileno(), socket.AF_INET, socket.SOCK_STREAM)
+
+# If we are supposed to use HTTPS, load certificate and replace conn with SSL connection.
+if USE_HTTPS:
+  cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(TLS_CERT, 'r').read())
+
+  context = SSL.Context(SSL.SSLv23_METHOD)
+  context.use_privatekey_file(TLS_KEY)
+  context.use_certificate(cert)
+
+  conn = SSL.Connection(context, sock)
+  conn.set_accept_state()
+
+# Send normal response
+def send_response(connection, ctype, response):
+  connection.sendall(
+    "HTTP/1.0 200 OK\n" +
+    "Content-Type: " + ctype + "\n" +
+    "Content-Length: " + str(len(response)) + "\n" +
+    "Connection: close\n" +
+    "\n" +
+    response
+  )
+
+# Send redirect
+def send_redirect(connection, ctype, response, location):
+  connection.sendall(
+    "HTTP/1.0 301 Moved Permanently\n" +
+    "Location: " + location + "\n" +
+    "Content-Type: " + ctype + "\n" +
+    "Content-Length: " + str(len(response)) + "\n" +
+    "Connection: close\n" +
+    "\n" +
+    response
+  )
+
+
+# Try to read and parse HTTP request
+try:
+  start_time = time.time()
+  buffer = ''
+  while True:
+    buffer += conn.recv(1024)
+
+    if buffer.endswith("\r\n\r\n") or start_time + TIMEOUT < time.time():
+      break
+
+  method, url = buffer.split(" ", 2)[0:2]
+
+  if url == '/VncViewer.jar':
+    with open(JAR_FILE, 'r') as file:
+      send_response(conn, "application/octet-stream", file.read())
+  else:
+    response = \
+    """<html>
+        <head>
+          <title>Remote Desktop</title>
+        </head>
+        <body>
+          <embed type="application/x-java-applet;version=1.6" code="com.tigervnc.vncviewer.VncViewer" archive="VncViewer.jar" width="%d" height="%d"
+            Port="%d"
+            Embed="true"
+            AlwaysShowServerDialog="false"
+            SecurityTypes="%s"
+            x509autoaccept="%s"
+          >
+        </body>
+      </html>
+    """%(WIDTH, HEIGHT, VNC_PORT, 'X509None' if USE_HTTPS else 'TLSNone', cert.digest('SHA1') if USE_HTTPS else '')
+
+    send_response(conn, "text/html", response)
+
+except SSL.Error:
+  # If SSL failed, it is most probably because the browser is actually trying to do normal HTTP request.
+
+  # We have now a partially consumed HTTP request in sock, let's try if we can get Host header out of it
+  partial_request = sock.recv(8000) # Arbitrary big number, if the request is longer than this, we will just skip the rest.
+
+  host = None
+  match = re.search(r"\r\nHost: ([^\r]+)\r\n", partial_request)
+  if match:
+    host = match.group(1)
+
+  if host:
+    # If we got host header, we can redirect nicely with HTTP 301.
+    send_redirect(sock, "text.html", "<html><body>Use https.</body></html>", "https://" + host)
+  else:
+    # If we don't know the host header, redirect using javascript.
+    send_response(sock, "text.html", "<html><head><script>document.location.protocol = 'https';</script></head><body>Use https.</body></html>")