[Pkg-tigervnc-devel] pkg-tigervnc.git - master (branch) updated: debian/1.6.0+dfsg-2-30-g57ede9e

Joachim Falk joachim.falk at gmx.de
Wed Jan 4 10:28:11 UTC 2017 

Hi Ola,

Am 03.01.2017 um 23:36 schrieb Ola Lundqvist:
> Hi Joachim
> 
> On 3 January 2017 at 18:02, Joachim Falk <joachim.falk at gmx.de> wrote:
>> Hi Ola,
>>
>> Am 03.01.2017 um 17:46 schrieb Ola Lundqvist:
>>> Hi Joachim
>>>
>>> The new cfg file. Are admins supposed to be able to edit it?
>> I don't think so. At least in the package ssl-cert -- that
>> I used as inspiration -- they are also under /usr/share/ssl-cert.
>> Thus, they are not supposed to be admin editable. The ssl-cert
>> package is used to create the ssl-cert-snakeoil.key self signed
>> certificate. I have opted for a somewhat more modern crypto algo,
>> i.e., ECDSA with NIST curve secp384r1 and SHA256 hash.
>>
>> If the user wants their own certificate, instead of the on demand
>> auto generated one, they can specify them via -X509Cert and -X509Key
>> or replaces the auto generated files in ~/.vnc. They will not be
>> overwritten once generated.
> Thank you for explaining this a little more.
> 
> Do I understand that it works like this:
> 1) tigervncserver will be able to automatically create SSL certs (self
> signed) based on the files in /usr/share/tigervnc.
> 2) The created cert will be placed in the user home directory.
> 3) The SSL config files are just used for the auto-generation of certificates.
exactly.

> With this approach I think you are right that they do not need to be
> admin editable. However I still think it may be better to put them in
> /etc/tigervnc.
> 
> The reason is that an admin may want to have some other default
> security setting for the automatically generated certificates. For
> example other default crypto algorithm, key size or whatever. If we
> put them in /usr the admin can not edit it, because on upgrade it will
> be overwritten.
However, editing ssleay.cnf by the admin is insufficient to exactly
influence the generated certificate. Hence, there is now a new
option $sslAutoGenCertCommand in /etc/vnc.conf to configure the
parameters for the used openssl command. I also added an explanation
there how the whole auto-generation works.

> 
> This means that I would actually vote for putting these two config
> files in /etc anyway, even though they do not strictly need to be
> there.
They are now in /etc/tigervnc.

> At the same time I think we should remove the word "example" from the
> config file. :-)
There is now a nice explanation text at the beginning of the
/etc/tigervnc/ssleay.cnf.

> 
> Best regards
> 
> // Ola

Regards,
Joachim Falk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20170104/5849b2c8/attachment.sig>

More information about the Pkg-tigervnc-devel mailing list