[PVE-User] external VNC connection problem
Patrice Levesque
pve.wayne at ptaff.ca
Fri May 17 17:25:54 CEST 2013
> "hostname 10.x.x.13 does not match any certificate. do you want to
> continue?" doesn't it mean my security is weaker or it is just a
> warning of some kind which i can ignore?
AFAIK the certificate sent by the VNC server is self-signed; your
tigervnc client will hence complain, as the certificate presented by the
server was not signed by a recognized authority.
This doesn't make the encryption less effective, but the mechanism
doesn't validate you're actually connecting to the right machine¹. If
you're tunneling through SSH you can be confident your client talks to
the right server² and can safely ignore the warning.
To get rid of the unmatching certificate warning, you have choices:
- Override the self-signed certificates with your own certificates
(Info on http://comments.gmane.org/gmane.linux.pve.devel/464 might
be useful as well as other search engines results);
- Trust the CA stored in /etc/pve/pve-root-ca.pem and make sure your
domain name matches (an option to tigervnc lets you specify a CA
certificate).
1) And the tigervnc client interface — at least my 1.2.0 version — does
not show you anything about the certificate it receives, even in
extra-verbose mode, so you cannot manually verify the match.
2) Of course you *do* verify the SSH server fingerprint when you
connect? :)
--
--====|====--
--------================|================--------
Patrice Levesque
http://ptaff.ca/
pve.wayne at ptaff.ca
--------================|================--------
--====|====--
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20130517/18bd4f7b/attachment.sig>
More information about the pve-user
mailing list