[Pkg-tigervnc-devel] Bug#912256: tigervnc-viewer: xtigervncviewer does not use the system X.509 root certificates by default

Ben Harris bjh21 at cam.ac.uk
Mon Oct 29 16:26:27 GMT 2018 

Package: tigervnc-viewer
Version: 1.9.0+dfsg-1
Severity: normal

Dear Maintainer,

I have a VNC server configured to use VeNCrypt/X509None security.  It
has an X.509 certificate issued by Let's Encrypt (and shared with the
Web server on the system).  If I connect to it like this:

xtigervncviewer cnh.infra.csi.cam.ac.uk

then I get a message telling me that my certificate "has been signed by
an unknown authority".  On the other hand, if I specify a root 
certificate:

xtigervncviewer -X509CA /etc/ssl/certs/DST_Root_CA_X3.pem cnh.infra.csi.cam.ac.uk

the viewer connects without complaint.

I would expect, on a Debian system, that a TLS client would use the
system certificate store in /etc/ssl/certs by default, so
xtigervncviewer would connect without complaint without my having to
specify which root certificate to use.  At the very least it should have
an option to use the system certificate store.

By contrast, the "openssl" and "gnutls-cli" commands correctly validate
the server's certificate when they connect to port 443.

-- System Information:
Debian Release: buster/sid
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.18.0-1-686-pae (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tigervnc-viewer depends on:
ii  libc6              2.27-6
ii  libfltk-images1.3  1.3.4-7
ii  libfltk1.3         1.3.4-7
ii  libfontconfig1     2.13.1-1
ii  libgcc1            1:8.2.0-7
ii  libgnutls30        3.5.19-1
ii  libjpeg62-turbo    1:1.5.2-2+b1
ii  libpam0g           1.1.8-3.8
ii  libstdc++6         8.2.0-7
ii  libx11-6           2:1.6.7-1
ii  libxcursor1        1:1.1.15-1
ii  libxext6           2:1.3.3-1+b2
ii  libxfixes3         1:5.0.3-1
ii  libxft2            2.3.2-2
ii  libxinerama1       2:1.1.4-1
ii  libxrender1        1:0.9.10-1
ii  zlib1g             1:1.2.11.dfsg-1

tigervnc-viewer recommends no packages.

Versions of packages tigervnc-viewer suggests:
ii  tigervnc-common  1.9.0+dfsg-1

-- no debconf information

-- 
Ben Harris, University of Cambridge Information Services.

More information about the Pkg-tigervnc-devel mailing list