enbaled x509 vnc by default

author: Devaev Maxim <[email protected]> 2021-02-15 05:35:50 +0300
committer: Devaev Maxim <[email protected]> 2021-02-15 05:35:50 +0300
commit: 308832f98679ca74f5d3975357c18c6268d650bd (patch)
tree: 319b7e98cb59195540c3d7591a210afd85f22bd6
parent: dc5a07adb3fc9ba275ff0eee4cafcc49c4425523 (diff)
16 files changed, 76 insertions, 76 deletions
diff --git a/configs/kvmd/main/v0-hdmi-rpi.yaml b/configs/kvmd/main/v0-hdmi-rpi.yaml
index 92b21484..a005e824 100644
--- a/configs/kvmd/main/v0-hdmi-rpi.yaml
+++ b/configs/kvmd/main/v0-hdmi-rpi.yaml
@@ -60,8 +60,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmi-rpi2.yaml b/configs/kvmd/main/v0-hdmi-rpi2.yaml
index 62af93f9..4f208ac7 100644
--- a/configs/kvmd/main/v0-hdmi-rpi2.yaml
+++ b/configs/kvmd/main/v0-hdmi-rpi2.yaml
@@ -61,8 +61,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmi-rpi3.yaml b/configs/kvmd/main/v0-hdmi-rpi3.yaml
index 92b21484..a005e824 100644
--- a/configs/kvmd/main/v0-hdmi-rpi3.yaml
+++ b/configs/kvmd/main/v0-hdmi-rpi3.yaml
@@ -60,8 +60,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmi-zerow.yaml b/configs/kvmd/main/v0-hdmi-zerow.yaml
index 9a0275c1..eb589caa 100644
--- a/configs/kvmd/main/v0-hdmi-zerow.yaml
+++ b/configs/kvmd/main/v0-hdmi-zerow.yaml
@@ -61,8 +61,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmiusb-rpi.yaml b/configs/kvmd/main/v0-hdmiusb-rpi.yaml
index 4e11fb10..215cddd3 100644
--- a/configs/kvmd/main/v0-hdmiusb-rpi.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-rpi.yaml
@@ -72,8 +72,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmiusb-rpi2.yaml b/configs/kvmd/main/v0-hdmiusb-rpi2.yaml
index 4e11fb10..215cddd3 100644
--- a/configs/kvmd/main/v0-hdmiusb-rpi2.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-rpi2.yaml
@@ -72,8 +72,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmiusb-rpi3.yaml b/configs/kvmd/main/v0-hdmiusb-rpi3.yaml
index 4e11fb10..215cddd3 100644
--- a/configs/kvmd/main/v0-hdmiusb-rpi3.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-rpi3.yaml
@@ -72,8 +72,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v0-hdmiusb-zerow.yaml b/configs/kvmd/main/v0-hdmiusb-zerow.yaml
index 4e11fb10..215cddd3 100644
--- a/configs/kvmd/main/v0-hdmiusb-zerow.yaml
+++ b/configs/kvmd/main/v0-hdmiusb-zerow.yaml
@@ -72,8 +72,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v2-hdmi-rpi3.yaml b/configs/kvmd/main/v2-hdmi-rpi3.yaml
index 7fd4f44d..01f61794 100644
--- a/configs/kvmd/main/v2-hdmi-rpi3.yaml
+++ b/configs/kvmd/main/v2-hdmi-rpi3.yaml
@@ -62,8 +62,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v2-hdmi-rpi4.yaml b/configs/kvmd/main/v2-hdmi-rpi4.yaml
index ac58879e..5042470c 100644
--- a/configs/kvmd/main/v2-hdmi-rpi4.yaml
+++ b/configs/kvmd/main/v2-hdmi-rpi4.yaml
@@ -76,8 +76,8 @@ vnc:
 #        h264:
 #            sink: "kvmd::ustreamer::h264"
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v2-hdmi-zerow.yaml b/configs/kvmd/main/v2-hdmi-zerow.yaml
index bbe83def..cf0fa6f4 100644
--- a/configs/kvmd/main/v2-hdmi-zerow.yaml
+++ b/configs/kvmd/main/v2-hdmi-zerow.yaml
@@ -63,8 +63,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v2-hdmiusb-generic.yaml b/configs/kvmd/main/v2-hdmiusb-generic.yaml
index b6671df2..8df381b2 100644
--- a/configs/kvmd/main/v2-hdmiusb-generic.yaml
+++ b/configs/kvmd/main/v2-hdmiusb-generic.yaml
@@ -70,8 +70,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/configs/kvmd/main/v2-hdmiusb-rpi4.yaml b/configs/kvmd/main/v2-hdmiusb-rpi4.yaml
index 3f03fb69..8fb78245 100644
--- a/configs/kvmd/main/v2-hdmiusb-rpi4.yaml
+++ b/configs/kvmd/main/v2-hdmiusb-rpi4.yaml
@@ -74,8 +74,8 @@ vnc:
     streamer:
         unix: /run/kvmd/ustreamer.sock
 
-#    server:
-#        tls:
-#            x509:
-#                cert: /etc/kvmd/nginx/ssl/server.crt
-#                key: /etc/kvmd/nginx/ssl/server.key
+    server:
+        tls:
+            x509:
+                cert: /etc/kvmd/vnc/ssl/server.crt
+                key: /etc/kvmd/vnc/ssl/server.key
diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
index d126a949..557a611a 100644
--- a/kvmd/apps/__init__.py
+++ b/kvmd/apps/__init__.py
@@ -585,7 +585,7 @@ def _get_config_scheme() -> Dict:
 
                 "tls": {
                     "ciphers": Option("ALL:@SECLEVEL=0", type=_make_ifarg(valid_ssl_ciphers, "")),
-                    "timeout": Option(5.0, type=valid_float_f01),
+                    "timeout": Option(30.0, type=valid_float_f01),
                     "x509": {
                         "cert": Option("", type=_make_ifarg(valid_abs_file, "")),
                         "key":  Option("", type=_make_ifarg(valid_abs_file, "")),
diff --git a/web/vnc/index.html b/web/vnc/index.html
index 1d47d971..d88cabb8 100644
--- a/web/vnc/index.html
+++ b/web/vnc/index.html
@@ -45,13 +45,13 @@
       <div class="start"><a style="display:inline-block; margin-top:4px; color:#5c90bc; text-decoration:none" href="/">&nbsp;&nbsp;&larr;&nbsp;&nbsp; [ Pi-KVM Index ]</a>
         <hr>
         <p class="text">This Pi-KVM device has running <b>kvmd-vnc</b> daemon and provides VNC access to the server.</p>
-        <p class="text"><b>WARNING!</b> We strongly don't recommend you to use VNC in untrusted networks.
-          The current implementation does not use encryption, and your passwords are transmitted
-          over the network in a plain text.
+        <p class="text"><b>WARNING!</b> We strongly don't recommend you to use VNC in untrusted networks without
+          enabled X.509 or TLS encryption. Otherwise your passwords are transmitted in a plain text
+          over the network.
         </p>
         <p class="text">
-          Your VNC client must support Tight JPEG compression, password authentication and allow
-          connection without encryption. <a href="https://tigervnc.org">TigerVNC</a> is a good choice.
+          Your VNC client must support Tight JPEG compression and password authentication.
+          <a href="https://tigervnc.org">TigerVNC</a> is a good choice.
           On Linux, this client will most likely be available for installation from the repository.
           It can also be called vncviewer.
         </p>
diff --git a/web/vnc/index.pug b/web/vnc/index.pug
index ab8be68e..fbab5e25 100644
--- a/web/vnc/index.pug
+++ b/web/vnc/index.pug
@@ -9,12 +9,12 @@ block start
 	p(class="text")
 		| This Pi-KVM device has running #[b kvmd-vnc] daemon and provides VNC access to the server.
 	p(class="text")
-		| #[b WARNING!] We strongly don't recommend you to use VNC in untrusted networks.
-		| The current implementation does not use encryption, and your passwords are transmitted
-		| over the network in a plain text.
+		| #[b WARNING!] We strongly don't recommend you to use VNC in untrusted networks without
+		| enabled X.509 or TLS encryption. Otherwise your passwords are transmitted in a plain text
+		| over the network.
 	p(class="text")
-		| Your VNC client must support Tight JPEG compression, password authentication and allow
-		| connection without encryption. #[a(href="https://tigervnc.org") TigerVNC] is a good choice.
+		| Your VNC client must support Tight JPEG compression and password authentication.
+		| #[a(href="https://tigervnc.org") TigerVNC] is a good choice.
 		| On Linux, this client will most likely be available for installation from the repository.
 		| It can also be called vncviewer.
 	div(id="vnc-text" class="code" style="max-height:200px")
author	Devaev Maxim <[email protected]>	2021-02-15 05:35:50 +0300
committer	Devaev Maxim <[email protected]>	2021-02-15 05:35:50 +0300
commit	308832f98679ca74f5d3975357c18c6268d650bd (patch)
tree	319b7e98cb59195540c3d7591a210afd85f22bd6
parent	dc5a07adb3fc9ba275ff0eee4cafcc49c4425523 (diff)