4 files changed, 16 insertions, 6 deletions

diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
index cef0a6a4..b03b7893 100644
--- a/kvmd/apps/__init__.py
+++ b/kvmd/apps/__init__.py
@@ -698,6 +698,9 @@ def _get_config_scheme() -> Dict:
                     "enabled": Option(False, type=valid_bool),
                     "file":    Option("/etc/kvmd/vncpasswd", type=valid_abs_file, unpack_as="path"),
                 },
+                "vencrypt": {
+                    "enabled": Option(True, type=valid_bool, unpack_as="vencrypt_enabled"),
+                },
             },
         },
 
diff --git a/kvmd/apps/vnc/__init__.py b/kvmd/apps/vnc/__init__.py
index a4d616ee..d7e2c68a 100644
--- a/kvmd/apps/vnc/__init__.py
+++ b/kvmd/apps/vnc/__init__.py
@@ -79,4 +79,5 @@ def main(argv: Optional[List[str]]=None) -> None:
         vnc_auth_manager=VncAuthManager(**config.auth.vncauth._unpack()),
 
         **config.server.keepalive._unpack(),
+        **config.auth.vencrypt._unpack(),
     ).run()
diff --git a/kvmd/apps/vnc/rfb/__init__.py b/kvmd/apps/vnc/rfb/__init__.py
index 0aa13114..102a007d 100644
--- a/kvmd/apps/vnc/rfb/__init__.py
+++ b/kvmd/apps/vnc/rfb/__init__.py
@@ -67,6 +67,7 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
         height: int,
         name: str,
         vnc_passwds: List[str],
+        vencrypt: bool,
         none_auth_only: bool,
     ) -> None:
 
@@ -81,6 +82,7 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
         self._height = height
         self.__name = name
         self.__vnc_passwds = vnc_passwds
+        self.__vencrypt = vencrypt
         self.__none_auth_only = none_auth_only
 
         self.__rfb_version = 0
@@ -229,7 +231,7 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
 
     async def __handshake_security(self) -> None:
         sec_types: Dict[int, Tuple[str, Callable]] = {}
-        if self.__rfb_version > 3:
+        if self.__vencrypt and self.__rfb_version > 3:
             sec_types[19] = ("VeNCrypt", self.__handshake_security_vencrypt)
         if self.__none_auth_only:
             sec_types[1] = ("None", self.__handshake_security_none)
@@ -276,10 +278,9 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
                     auth_types[262] = ("VeNCrypt/X509Plain", 2, self.__handshake_security_vencrypt_userpass)
                 auth_types[259] = ("VeNCrypt/TLSPlain", 1, self.__handshake_security_vencrypt_userpass)
             if self.__vnc_passwds:
-                # Vinagre не умеет работать с VNC Auth через VeNCrypt, но это его проблемы,
-                # так как он своеобразно трактует рекомендации VeNCrypt.
-                # Подробнее: https://bugzilla.redhat.com/show_bug.cgi?id=692048
-                # Hint: используйте любой другой нормальный VNC-клиент.
+                # Некоторые клиенты не умеют работать с нешифрованными соединениями внутри VeNCrypt:
+                #   - https://github.com/LibVNC/libvncserver/issues/458
+                #   - https://bugzilla.redhat.com/show_bug.cgi?id=692048
                 auth_types[2] = ("VeNCrypt/VNCAuth", 0, self.__handshake_security_vnc_auth)
                 if self.__tls_ciphers:
                     if self.__x509_cert_path:
diff --git a/kvmd/apps/vnc/server.py b/kvmd/apps/vnc/server.py
index 64113c11..3d460498 100644
--- a/kvmd/apps/vnc/server.py
+++ b/kvmd/apps/vnc/server.py
@@ -72,7 +72,7 @@ class _SharedParams:
 
 
 class _Client(RfbClient):  # pylint: disable=too-many-instance-attributes
-    def __init__(  # pylint: disable=too-many-arguments
+    def __init__(  # pylint: disable=too-many-arguments,too-many-locals
         self,
         reader: asyncio.StreamReader,
         writer: asyncio.StreamWriter,
@@ -89,6 +89,7 @@ class _Client(RfbClient):  # pylint: disable=too-many-instance-attributes
         streamers: List[BaseStreamerClient],
 
         vnc_credentials: Dict[str, VncAuthKvmdCredentials],
+        vencrypt: bool,
         none_auth_only: bool,
         shared_params: _SharedParams,
     ) -> None:
@@ -103,6 +104,7 @@ class _Client(RfbClient):  # pylint: disable=too-many-instance-attributes
             x509_cert_path=x509_cert_path,
             x509_key_path=x509_key_path,
             vnc_passwds=list(vnc_credentials),
+            vencrypt=vencrypt,
             none_auth_only=none_auth_only,
             **dataclasses.asdict(shared_params),
         )
@@ -423,6 +425,8 @@ class VncServer:  # pylint: disable=too-many-instance-attributes
         x509_cert_path: str,
         x509_key_path: str,
 
+        vencrypt_enabled: bool,
+
         desired_fps: int,
         keymap_path: str,
 
@@ -481,6 +485,7 @@ class VncServer:  # pylint: disable=too-many-instance-attributes
                     streamers=streamers,
                     vnc_credentials=(await self.__vnc_auth_manager.read_credentials())[0],
                     none_auth_only=none_auth_only,
+                    vencrypt=vencrypt_enabled,
                     shared_params=shared_params,
                 ).run()
             except Exception: