SHA256
1
0
forked from pool/tigervnc
tigervnc/with-vnc-key.sh
Stefan Dirsch 576bd884a2 Accepting request 688610 from home:yfjiang:branches:X11:XOrg
- Update with-vnc-key.sh to use only hostname for CN.
  The gnutls introduces gnutls_x509_crt_check_hostname2 in
  gnutls/lib/x509/hostname-verify.c#L159 to check if the given
  certificate's subject matches the given hostname.
  The function is used by the recent version of libvncclient which
  will fail to verify the certification if there is a mismatching
  between the connected hostname and the cert issuer's common name.
  https://github.com/LibVNC/libvncserver/commit/cc69ee9
  So the previous way to generate the vnc server's cert brings a
  complicated CN, making the client using libvncclient
  (e.g. vinagre, remmina) hard to adapt the hostname check. It is
  better to populate the hostname as the common name without extra
  strings.

OBS-URL: https://build.opensuse.org/request/show/688610
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=159
2019-03-26 10:06:02 +00:00

38 lines
1.0 KiB
Bash

#!/bin/bash
# Wrapper that makes sure /etc/vnc/tls.{key,cert} exist before executing given command.
TLSKEY=/etc/vnc/tls.key
TLSCERT=/etc/vnc/tls.cert
if test -s $TLSKEY -a -s $TLSCERT; then
# Execute the command we were given.
exec "$@"
fi
(
# Wait for lock on the key file. We must not proceed while someone else is creating it.
flock 200
# If the key file doesn't exist or has zero size (because it doubles as lock), generate it.
if ! test -s $TLSKEY ; then
(umask 077 && openssl genrsa -out $TLSKEY 2048) >&200
chown vnc:vnc $TLSKEY
fi
# If the cert file doesn't exist, generate it.
if ! test -e $TLSCERT ; then
# Keeping it short, because hostname could be long and max CN is 64 characters
CN="`hostname`"
CN=${CN:0:64}
openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
chown vnc:vnc $TLSCERT
fi
) 200>>$TLSKEY 2>/dev/null
# Execute the command we were given.
exec "$@"