[PVE-User] external VNC connection problem

Muhammad Yousuf Khan sirtcp at gmail.com
Fri May 17 21:20:57 CEST 2013


thanks for the clarification and detailed answer. :)


On Fri, May 17, 2013 at 8:25 PM, Patrice Levesque <pve.wayne at ptaff.ca>wrote:

>
> > "hostname 10.x.x.13 does not match any certificate. do you want to
> > continue?" doesn't it mean my security is weaker or it is just a
> > warning of some kind which i can ignore?
>
> AFAIK the certificate sent by the VNC server is self-signed; your
> tigervnc client will hence complain, as the certificate presented by the
> server was not signed by a recognized authority.
>
> This doesn't make the encryption less effective, but the mechanism
> doesn't validate you're actually connecting to the right machine¹.  If
> you're tunneling through SSH you can be confident your client talks to
> the right server² and can safely ignore the warning.
>
> To get rid of the unmatching certificate warning, you have choices:
>
>         - Override the self-signed certificates with your own certificates
>           (Info on http://comments.gmane.org/gmane.linux.pve.devel/464might
>           be useful as well as other search engines results);
>
>         - Trust the CA stored in /etc/pve/pve-root-ca.pem and make sure
> your
>           domain name matches (an option to tigervnc lets you specify a CA
>           certificate).
>
>
> 1) And the tigervnc client interface — at least my 1.2.0 version — does
> not show you anything about the certificate it receives, even in
> extra-verbose mode, so you cannot manually verify the match.
>
> 2) Of course you *do* verify the SSH server fingerprint when you
> connect? :)
>
>
>
> --
>  --====|====--
>     --------================|================--------
>         Patrice Levesque
>          http://ptaff.ca/
>         pve.wayne at ptaff.ca
>     --------================|================--------
>  --====|====--
> --
>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20130518/b7a14f06/attachment-0015.html>


More information about the pve-user mailing list