Thanks to help from Nitin, I've made a tiny bit of progress with stunnel. I've created the certificates per Nitin's instructions at https://tunnelix.com/securing-mysql-traffic-with-stunnel-in-a-jail-environme... Certificates have permissions 0600.
I want to use a VNC client on Linux to connect to a VNC Server also on Linux. In between these two computers I have a Linux router which routes all request to port 1914 to port 3389 on the VNC Server.
stunnel on the server is run at the command line by root: 'stunnel /root/stunnel.conf'. Here is my VNC Server computer's stunnel.conf:
foreground = yes pid = /var/run/stunnel.pid debug = 7 ; output = /root/stunnel.log output = /dev/stdout
[x11vnc] accept = 3389 key = /root/privatekey.pem cert = /root/certificate.pem connect = 127.0.0.1:5900
stunnel on the client is run by a normal user, stunnel $HOME/.stunnel/stunnel.conf. Below is my client stunnel.conf:
foreground = yes verify = 2 pid = /home/mfoley/.stunnel/stunnel.pid CAfile = /home/mfoley/.stunnel/certificate.pem client = yes [x11vnc] accept = 5900 connect = mail.ohprs.org:1914
When I run stunnel on the client I get:
2018.03.13 13:21:17 LOG5[ui]: stunnel 5.35 on x86_64-slackware-linux-gnu platform 2018.03.13 13:21:17 LOG5[ui]: Compiled with OpenSSL 1.0.2h 3 May 2016 2018.03.13 13:21:17 LOG5[ui]: Running with OpenSSL 1.0.2n 7 Dec 2017 2018.03.13 13:21:17 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel 2018.03.13 13:21:17 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2018.03.13 13:21:17 LOG5[ui]: Reading configuration from file /home/mfoley/.stunnel/stunnel.conf 2018.03.13 13:21:17 LOG5[ui]: UTF-8 byte order mark not detected 2018.03.13 13:21:17 LOG5[ui]: FIPS mode disabled 2018.03.13 13:21:17 LOG4[ui]: Service [x11vnc] uses "verify = 2" without subject checks 2018.03.13 13:21:17 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates 2018.03.13 13:21:17 LOG5[ui]: Configuration successful
On the client, I then run tigerVNCViewer connecting to 127.0.0.1::5900. I get the following messages on the client:
2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] accepted connection from 127.0.0.1:35034 2018.03.13 13:22:03 LOG5[0]: s_connect: connected 98.102.63.107:1914 2018.03.13 13:22:03 LOG5[0]: Service [x11vnc] connected remote server from 192.168.0.17:40512 2018.03.13 13:22:03 LOG3[0]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2018.03.13 13:22:03 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Just guessing, but is it failing with the SSLVersion?
Help appreciated. Thanks, Mark