[Pkg-tigervnc-devel] pkg-tigervnc.git - master (branch) updated: debian/1.6.0+dfsg-2-30-g57ede9e
Ola Lundqvist
ola.lundqvist at gmail.com
Wed Jan 4 12:07:02 UTC 2017
Great!
Will you upload or do you want me to do that?
Sent from a phone
Den 4 jan 2017 11:28 skrev "Joachim Falk" <joachim.falk at gmx.de>:
> Hi Ola,
>
> Am 03.01.2017 um 23:36 schrieb Ola Lundqvist:
> > Hi Joachim
> >
> > On 3 January 2017 at 18:02, Joachim Falk <joachim.falk at gmx.de> wrote:
> >> Hi Ola,
> >>
> >> Am 03.01.2017 um 17:46 schrieb Ola Lundqvist:
> >>> Hi Joachim
> >>>
> >>> The new cfg file. Are admins supposed to be able to edit it?
> >> I don't think so. At least in the package ssl-cert -- that
> >> I used as inspiration -- they are also under /usr/share/ssl-cert.
> >> Thus, they are not supposed to be admin editable. The ssl-cert
> >> package is used to create the ssl-cert-snakeoil.key self signed
> >> certificate. I have opted for a somewhat more modern crypto algo,
> >> i.e., ECDSA with NIST curve secp384r1 and SHA256 hash.
> >>
> >> If the user wants their own certificate, instead of the on demand
> >> auto generated one, they can specify them via -X509Cert and -X509Key
> >> or replaces the auto generated files in ~/.vnc. They will not be
> >> overwritten once generated.
> > Thank you for explaining this a little more.
> >
> > Do I understand that it works like this:
> > 1) tigervncserver will be able to automatically create SSL certs (self
> > signed) based on the files in /usr/share/tigervnc.
> > 2) The created cert will be placed in the user home directory.
> > 3) The SSL config files are just used for the auto-generation of
> certificates.
> exactly.
>
> > With this approach I think you are right that they do not need to be
> > admin editable. However I still think it may be better to put them in
> > /etc/tigervnc.
> >
> > The reason is that an admin may want to have some other default
> > security setting for the automatically generated certificates. For
> > example other default crypto algorithm, key size or whatever. If we
> > put them in /usr the admin can not edit it, because on upgrade it will
> > be overwritten.
> However, editing ssleay.cnf by the admin is insufficient to exactly
> influence the generated certificate. Hence, there is now a new
> option $sslAutoGenCertCommand in /etc/vnc.conf to configure the
> parameters for the used openssl command. I also added an explanation
> there how the whole auto-generation works.
>
> >
> > This means that I would actually vote for putting these two config
> > files in /etc anyway, even though they do not strictly need to be
> > there.
> They are now in /etc/tigervnc.
>
> > At the same time I think we should remove the word "example" from the
> > config file. :-)
> There is now a nice explanation text at the beginning of the
> /etc/tigervnc/ssleay.cnf.
>
> >
> > Best regards
> >
> > // Ola
>
> Regards,
> Joachim Falk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-tigervnc-devel/attachments/20170104/24a5cdc6/attachment.html>
More information about the Pkg-tigervnc-devel
mailing list