On Thu, Aug 7, 2025 at 4:52 AM Oleg Rosowiecki <[email protected]> wrote:
> Thank you for your reply. I looked further. libvnc does seem to support > X509 certificate-based TLS for VNC. What is missing is support for > authentication in the guacamole server itself. > The interaction between guacamole server and libvncclient is as follows. > > guacd calls libvncclient to manage the VNC connection. During the initial > VNC packet exchanges, the VNC server and libvncclient agree on > encryption/authentication schemes for the VNC connection. My requirement > for the connection is to: > > 1) Use TLS for encryption. > 2) Avoid using anonymous TLS. > > Guacamole supports several encrypted TLS connections for VNC that include authentication support. I just tested with TigerVNC running on Rocky9 and TLSPlain. The encrypted connection works fine (verified it is encrypted with tcpdump + wireshark), and Guacamole prompts for authentication, I'm able to enter a username and password and log in. Guacamole should support VeNCrypt, TLSNone (anonymous TLS), TLSVNC (password-only over TLS), and TLSPlain (username + password over TLS). > So I configure my VNC server accordingly. I can choose to configure VLS > authentication type that the server offers to be either rfbVeNCryptX509None > (260), rfbVeNCryptX509VNC (261) or rfbVeNCryptX509Plain (262), all of which > are based on X509 certificates. All such attempts result in guacamole > server dropping the connection and producing output like this one. > > Guacamole does *not* currently handle any of the X509 security methods, as it does not contain the required support for certificate-based authentication. -Nick
