[winswitch] SSL issue (was HTML Client - howto and problems)
Antoine Martin
antoine at nagafix.co.uk
Mon Jun 20 08:39:28 BST 2022
>>> --bind-tcp=0.0.0.0:14500 --html=on should do the trick, correct?
>> The html5 client documentation uses port 10000, which is usually free:
>> https://github.com/Xpra-org/xpra-html5#usage
>>> xpra start --html=on --env=XPRA_VAAPI=0 --env=CUTTER_THRESHOLD=0 :100
>>> --start=/home/theprogramIstartup
>> "--env=XPRA_VAAPI=0" is also the default.
>
> SSL issue now....
>
> Server: 4.3.3 Kubuntu 20.04 XPRA HTML 5.0
> Client: 4.3.3 Kubuntu 20.04 w/FF 100.0
>
>
> using:
>
> xpra start --bind-tcp=0.0.0.0:10000 --html=on
> --ssl-cert=/etc/xpra/ssl-cert.pem --ssl=on --env=XPRA_VAAPI=0 ....
You're trying to use the SSL certificate which is generated for the
system wide proxy service, which runs as root.
Making this certificate world readable would allow anyone with access to
the file to decrypt all SSL traffic used by this service.
> FF refuses to connect, doesn't give the option to accept the self signed
> cert,
>
> Check the /var/log....
>
> from tcp socket: <socket.socket fd=22, family=AddressFamily.AF_INET,
> type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.0.z', 10000),
> raddr=('192.168.0.z', 39584)>
> 2022-06-15 10:36:04,273 no certificate paths specified
> 2022-06-15 10:36:04,273 [Errno 13] Permission denied
> 2022-06-15 10:36:04,281 Error: failed to create SSL socket
> 2022-06-15 10:36:04,281 from tcp socket: <socket.socket fd=22,
> family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0,
> laddr=('192.168.0.z', 10000), raddr=('192.168.0.z', 39586)>
> 2022-06-15 10:36:04,281 no certificate paths specified
> 2022-06-15 10:36:04,282 [Errno 13] Permission denied
>
> Ummm, but yes I did spec a path for the cert
Yes, but not a valid one. "Permission denied"
> checking /etc/xpra/
>
> /etc/xpra$ ls -larth
(..)
> -rw------- 1 root root 5.2K Jul 3 2021 ssl-cert.pem
(..)
>
> Yes, ssl-cert.pem has a cert in it, not posting it for obvious reasons...
>
> Should this stuff really be owned by root????????
Yes.
Users should not share SSL certificates. More information here:
https://github.com/Xpra-org/xpra/blob/master/docs/Network/SSL.md
Cheers,
Antoine
>
> Shrug?????
>
>
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> https://lists.devloop.org.uk/mailman/listinfo/shifter-users
More information about the shifter-users
mailing list