On Thu, Jul 31, 2025 at 6:50 AM Oleg Rosowiecki <[email protected]> wrote:
> Hello, > > I am struggling to make Guacamole use TLS with VNC. Anonymous TLS works, > but my requirement is not to use anonymous TLS. If I configure a > certificate on the server side of the VNC connection (I'm using x11vnc as > the server), Guacamole is unable to establish communication to the server. > I am running Guacamole version 1.6.0. > > Can you provide more specific details as to how you're setting this up on the server side? Depending on what you mean by "TLS with VNC", Guacamole may not support this, but it's a bit hard to say. It _should_ support TLS + normal VNC credentials (username + password and possibly even just password). I haven't looked at the libvncserver library for this specifically, but I would not be shocked if it doesn't support certificate-based authentication (client certificates). Anyway, more detail on how you're configuring the server should help determine that. > guacd displays the following in debug mode (reducing the log to relevant > entries): > > Received security type 10 (0/1 in the list) > Selected Security Scheme 10 > Got VeNCrypt version 0.2. from server. > We have 1 security types to read. > 0) Received security type 260 > Selecting security type 260 > GnuTLS version 3.8.10 initialized. > guacd[4139]: ERROR: Unsupported credential type requested. > guacd[4139]: DEBUG: Unable to provide requested type of credential: 1. > > As far as I can see, the error messages are produced by > guac_vnc_get_credentials() function in the guacd source code. The function > only expects rfbCredentialTypeUser (2, defined in libvncserver). All other > types are rejected, including the numeric value 1 reported in the log. This > value 1 corresponds to rfbCredentialTypeX509 in libvncserver. > > The fact that it's triggering a rfbCredentialTypeX509 makes me think that it's trying to do certificate-based authentication. Again, I'm uncertain as to the level of support libvncserver has for this - if it does support it, then we just need to implement it in Guacamole. If it does not, then you're out of luck. -Nick
