Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509 client authentication #787

Open
mestag-a opened this issue Jan 14, 2019 · 8 comments
Open

X509 client authentication #787

mestag-a opened this issue Jan 14, 2019 · 8 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@mestag-a
Copy link

mestag-a commented Jan 14, 2019
edited by CendioOssman
Loading

Is there a technical reason why the X509CA configuration option is available on the client side, but not the server side ?
I wanted to use this so that a VNC server would only accept client connections from users with a certificate signed from the configured CA.
It is possible to configure OpenVPN and SSH to trust a given CA, so I was wondering why this "trusting feature" was implemented the other way around in TigerVNC.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@CendioOssman
Copy link
Member

X509 is currently only used to authenticate the server, not the client. So basically how most web servers work.

It should theoretically be possible to use client certificates as well, but this is not implemented at the moment. It could also require a protocol extension to work really well.

@CendioOssman CendioOssman added the enhancement New feature or request label Jan 16, 2019
@CendioOssman CendioOssman changed the title X509CA option on server side X509 client authentication Jan 16, 2019
@samhed samhed added the help wanted Extra attention is needed label May 20, 2020
@pprindeville
Copy link

I have crypto experience. I could work on this...

@CendioOssman
Copy link
Member

Go right ahead. We have the development mailing list if you want to discuss technical details.

@opentissandy
Copy link

opentissandy commented Oct 6, 2024
edited
Loading

client_cert.patch.txt
Screenshot_20241006_185741

I have made one patch to tag 1.14.0 that can use with qemu.
Please merge to tag 1.14.0. Thanks.

@pprindeville
Copy link

client_cert.patch.txt

I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.

Can you create a PR so it can be reviewed?

@pprindeville
Copy link

X509 is currently only used to authenticate the server, not the client. So basically how most web servers work.

Not exactly true. Apache has SSLVerifyClient require for exactly this purpose. And SSLVerifyDepth n controls how far up the certificate has to "ladder up" to a trusted root CA.

It should theoretically be possible to use client certificates as well, but this is not implemented at the moment. It could also require a protocol extension to work really well.

@KangLin
Copy link
Contributor

KangLin commented Oct 7, 2024

This is a nice feature. but because gnutls does not support cross-platform (e.g., msvc compilation is not supported), it is recommended to use openSSL for this feature

opentissandy added a commit to opentissandy/tigervnc that referenced this issue Oct 7, 2024
@opentissandy
X509 client authentication TigerVNC#787
226567b
@opentissandy
Copy link

client_cert.patch.txt
I have made one patch to tag 1.14.0 that can use with qemu. Please merge to tag 1.14.0. Thanks.

Can you create a PR so it can be reviewed?

Please review the code.
I have try create a PR #1842

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pprindeville @samhed @mestag-a @CendioOssman @KangLin @opentissandy