Can't connect to RealVNC 7.5

[mghadam]

NoVNC can't connect to RealVNC 7.5, and I get the following messages in the console log of the browser.

connecting to ws://localhost:5910/websockify
rfb.js:1355 Server ProtocolVersion: 003.008
rfb.js:2052 Screen: 1920x1080, bpp: 32, depth: 24, bigEndian: 0, trueColor: 255, redMax: 255, greenMax: 255, blueMax: 255, redShift: 16, greenShift: 8, blueShift: 0

then it shows Disconnected message.

On the RealVNC log, I see this error:

 vncserver-x11[16899]: SConnection: Client needs protocol version 3.8

Tested with the last release of novnc 1.4 and the github version. Is this from 256-bit AES encryption that is not supported in novnc?

[samhed]

It is difficult to say, that message in the RealVNC log isn't very helpful. Is there any more info in those logs?

[mghadam]

digging more, I found novnc terminates the connection and logs this error:

Failed when connecting: Unsupported security types (types: 13,5)

so I enabled debugging in realvnc server to find what these security types do.
When connectin to the vnc server using realvnc client, the following information is logged about the cipher suite:

SConnection: Client needs protocol version 5.0
vncserver-x11[208696]: SProtoV5Up: Client supports cipher suite RA4_128 [0x0202]
vncserver-x11[208696]: SProtoV5Up: Client supports cipher suite RA4b_256 [0x0b03]
vncserver-x11[208696]: SProtoV5Up: Client supports cipher suite RA4_256 [0x0303]
vncserver-x11[208696]: SProtoV5Up: Client supports cipher suite RA4ne_128 [0x0204]
vncserver-x11[208696]: SProtoV5Up: Choosing cipher suite RA4_128 [0x0202] (algorithms: RSA-OAEP, ECDHE-Curve25519, SHA-256, AES-GCM-128)

so apparently RA4_128 (algorithms: RSA-OAEP, ECDHE-Curve25519, SHA-256, AES-GCM-128) is not supported by novnc.

I found the following whitepapers on RealVNC website about the details of their security protocols:

https://static.realvnc.com/media/documents/vncconnect-security-whitepaper.pdf
https://static.realvnc.com/media/documents/realvnc-rfb-protocol-security-analysis.pdf

[pdlan]

When a RealVNC client connects to its server, it will select RFB5.0 and then the RA4 security types, of which currently we don't know the details. noVNC only supports RFB3.8, so the server will send another set of security types (in this case RA2 and RA2r). noVNC only supports the RA2ne security type out of the RealVNC ones. So you could simply disable forced encryption on your server, and noVNC should work with it.

[samhed]

Thank you @pdlan.

Does his suggestion work for you @mghadam?

[mghadam]

So you could simply disable forced encryption on your server, and noVNC should work with it.

RealVNC has disabled the "PreferOn" option for encryption in v7 and it can be set to Always on or Always maximum only.

I have downgraded to v6 and am now using novnc with disabled forced encryption in realvnc.

When a RealVNC client connects to its server, it will select RFB5.0 and then the RA4 security types, of which currently we don't know the details. noVNC only supports RFB3.8, so the server will send another set of security types (in this case RA2 and RA2r). noVNC only supports the RA2ne security type out of the RealVNC ones.

just curious, is the details of RA4 that explained in realvnc documentation below not complete?

https://static.realvnc.com/media/documents/realvnc-rfb-protocol-security-analysis.pdf
https://static.realvnc.com/media/documents/vncconnect-security-whitepaper.pdf

[pdlan]

I'm afraid there is no public documentation for RFB version > 3.8. Not only the security types but all the details are unknown now.

[samhed]

That is unfortunate. Doesn't look like there's much we can do from our end then. Closing