Copying my comments
(
https://bugzilla.redhat.com/show_bug.cgi?id=790436#c8) here as
requested:
===============================================================================
(In reply to comment #6)
mode='insecure' - don't bother with security
By this, you mean plaintext-only setting, or provide tls if certs/keys are
available?
mode='secure' - use security if tls is available, but fall
back to insecure
What does falling back mean here? Provide both and let client choose or provide
plaintext channel only if tls-port or x509 stuff is not set?
mode='mandatory-secure'
^^^ FWIW, this is what RHEV means by mode='secure'. They _do want_ to enforce
main and input channels to TLS. oVirt's feature of hosts without mandatory TLS
is quite new and clearly not yet stabilized.
Another consideration is that sometimes, you could want some channels to be
mandatory insecure, like display + playback on hosts that do not support
aes-ni.
Given the facts above, I'd propose going with these four modes:
* mode='insecure' - provide plaintext-only (-spice plaintext-channel=...)
* mode='...' - provide both if BOTH x509 stuff is set and TLS port
will get alocated, else provide plaintext-only
* mode='...' - provide both tls and plaintext, error out if x509 stuff is
not set
* mode='secure' - provide TLS channel only, error out if x509 stuff is not set
The secure mode name is chosen with respect to compatibility with RHEV usage
and I didn't manage to name the middle ones sanely. When spice_tls is == 0,
second mode should be default, when spice_tls == 1, third mode should be
default.
minor correction:
(In reply to comment #8)
and I didn't manage to name the middle ones sanely. When
spice_tls is == 0,
second mode should be default, when spice_tls == 1, third mode should be
default.
with spice_tls set to 1, main and inputs channels should default to fourth
mode, the rest to third.
===============================================================================
Keep me in CC please as I'm not subscribed.
David
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24