Hello, I am implementing TLS support in SPICE, and there are two issues that I'd like to make you aware of before sending the patches.
1) The private key of the server (i.e., qemu-kvm) will be required to be passwordless, because if it is password-protected the password would have to be sent in clear via command line args -- a false security; 2) SPICE supports selective encryption of the different channels (input, output, control channel etc.), but to do this it requires the usage of two ports; since the current Ganeti code supports only one port per instance I'd rather force the user to encrypt all or nothing - as it is in VNC - instead of changing the design of how we actually allocate one port. This can of course be changed later if there is demand for it. If I see no objections, I'm going to send patches that implement the feature in this way. Thanks, Andrea
