Securing websockify better

Websockify version: 0.8.0

Bear with me while I explain this. noNVC is a browser-based, HTML5 VNC client. Being browser-based means it doesn't need to be installed on a user's computer and can run directly in their web browser. Rather than using the VNC protocol directly however, it "wraps" the VNC traffic inside a WebSocket connection.

Websockify is a WebSocket-to-TCP gateway/proxy which runs at the server end of the connection to "unwrap" the WebSocket traffic and send the VNC traffic to/from the VNC server.

The WebSocket traffic needs, in turn, to be wrapped inside an encypted SSL connection to ensure that users' activities can't be monitored by evil dudes.

The SSL code in the abovementioned (and most recent) version of websockify just does a basic SSL connection in Python and makes no attempt to prevent old, insecure or depercated encryption from being used. This is where we step in.

On the server where I have websockify installed, the relevant source code file lives at:

/usr/lib/python2.7/site-packages/websockify-0.8.0-py2.7.egg/websockify/websocket.py

The insecure code begins at line 833 and looks like this:

                retsock = ssl.wrap_socket(
                        sock,
                        server_side=True,
                        certfile=self.cert,
                        keyfile=self.key)

Simply replace it with:

                retsock = ssl.wrap_socket(
                        sock,
                        ciphers="ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384",
                        ssl_version=ssl.PROTOCOL_TLSv1_2,
                        server_side=True,
                        certfile=self.cert,
                        keyfile=self.key)

The above change disables the deprecated SSLv2 and SSLv3 protocols and ensures only TLSv1.2 is used, and limits the encryption cyphers to two which are recent and forward secret.

Restart the websockify proxy after the change.