Hi,
I'd like to request a new pseudo encoding number be allocated. The encoding
name would be "ClientRedirect" and this encoding would allow the server to
send a framebuffer update message to the client that instructs the client to
disconnect and re-connect on a different port (and possibly different host).
The idea was discussed on the tigervnc-rfbproto list and the following
suggestion was put forth by Daniel Berrange:
Declare the that pseduo encoding's x, y, width & height fields are
unused and should be set to 0. They are then followed by a payload
that looks something like this:
=================== =================== ===================================
No. of bytes Type Description
=================== =================== ===================================
2 U16 *port-number*
4 U32 *hostname-len*
hostname-string U8 array *hostname-string* (UTF8)
4 U32 *x509subject-len*
x509subject-string U8 array *x509subject-string* (UTF8)
=================== =================== ===================================
Passing of a (optional) x509subject-string is an idea I borrow from
SPICE. Normally when connecting to a VNC server that uses x509 certs,
an important security step is to match the x509 hostname field against
the initial hostname that the VNC client was given by the user.
During relocation though, this isn't possible, so instead the relocation
message would include the expected x509 subject string. The client can
then validate that instead of the hostname during relocation. Of course
this string would be empty if x509 was irrelevant for the current security
types.
Apparently QEMU already supports this feature with spice, and I was
looking to do something similar, so it would be nice to get something
standardized before we end up with multiple unofficial protocol
extensions floating around.
Thanks!
-brian
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
I'd like to request a new pseudo encoding number be allocated. The encoding
name would be "ClientRedirect" and this encoding would allow the server to
send a framebuffer update message to the client that instructs the client to
disconnect and re-connect on a different port (and possibly different host).
The idea was discussed on the tigervnc-rfbproto list and the following
suggestion was put forth by Daniel Berrange:
Declare the that pseduo encoding's x, y, width & height fields are
unused and should be set to 0. They are then followed by a payload
that looks something like this:
=================== =================== ===================================
No. of bytes Type Description
=================== =================== ===================================
2 U16 *port-number*
4 U32 *hostname-len*
hostname-string U8 array *hostname-string* (UTF8)
4 U32 *x509subject-len*
x509subject-string U8 array *x509subject-string* (UTF8)
=================== =================== ===================================
Passing of a (optional) x509subject-string is an idea I borrow from
SPICE. Normally when connecting to a VNC server that uses x509 certs,
an important security step is to match the x509 hostname field against
the initial hostname that the VNC client was given by the user.
During relocation though, this isn't possible, so instead the relocation
message would include the expected x509 subject string. The client can
then validate that instead of the hostname during relocation. Of course
this string would be empty if x509 was irrelevant for the current security
types.
Apparently QEMU already supports this feature with spice, and I was
looking to do something similar, so it would be nice to get something
standardized before we end up with multiple unofficial protocol
extensions floating around.
Thanks!
-brian
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list