[PVE-User] external VNC connection problem

Patrice Levesque pve.wayne at ptaff.ca
Fri May 17 17:25:54 CEST 2013


> "hostname 10.x.x.13 does not match any certificate. do you want to
> continue?" doesn't it mean my security is weaker or it is just a
> warning of some kind which i can ignore?

AFAIK the certificate sent by the VNC server is self-signed; your
tigervnc client will hence complain, as the certificate presented by the
server was not signed by a recognized authority.

This doesn't make the encryption less effective, but the mechanism
doesn't validate you're actually connecting to the right machine¹.  If
you're tunneling through SSH you can be confident your client talks to
the right server² and can safely ignore the warning.

To get rid of the unmatching certificate warning, you have choices:

	- Override the self-signed certificates with your own certificates
	  (Info on http://comments.gmane.org/gmane.linux.pve.devel/464 might
	  be useful as well as other search engines results);

	- Trust the CA stored in /etc/pve/pve-root-ca.pem and make sure your
	  domain name matches (an option to tigervnc lets you specify a CA
	  certificate).


1) And the tigervnc client interface — at least my 1.2.0 version — does
not show you anything about the certificate it receives, even in
extra-verbose mode, so you cannot manually verify the match.

2) Of course you *do* verify the SSH server fingerprint when you
connect? :)



-- 
 --====|====--
    --------================|================--------
        Patrice Levesque
         http://ptaff.ca/
        pve.wayne at ptaff.ca
    --------================|================--------
 --====|====--
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20130517/18bd4f7b/attachment-0013.sig>


More information about the pve-user mailing list