Description of problem: I need to use vnc_tls only on some guests, leaving some guests with unsecure vnc. It should really be possible to turn off (or on) tls in XML config, so it could be used only on selected domains. Version-Release number of selected component (if applicable): app-emulation/libvirt-1.0.0:0 on gentoo How reproducible: Enabling vnc_tls in /etc/libvirt/qemu.conf and placing certificates on right places makes all vnc servers to use tls. Expected results: I need some way to disable tls on some clients, its not configurable using XML => i need to make whole machine tls/x509 or unsecure.
Yeah certainly this seems useful, at least if only for testing. The bit in qemu_command.c is: if (cfg->vncTLS) { virBufferAddLit(&opt, ",tls"); if (cfg->vncTLSx509verify) virBufferAsprintf(&opt, ",x509verify=%s", cfg->vncTLSx509certdir); else virBufferAsprintf(&opt, ",x509=%s", cfg->vncTLSx509certdir); } cfg->vncTLS is /etc/libvirt/qemu.conf vnc_tls cfg->vncTLSx509verify is /etc/libvirt/qemu.conf vnc_tls_x509_verify cfg->vncTLSx509certdir is /etc/libvirt/qemu.conf vnc_tls_x509_cert_dir Maybe this could be new XML: <graphics type='vnc'> <tls enable='yes' verify='yes' certdir='/path/to/certdir'/> </graphics> That could also be used to disable tls for a one off VM if qemu.conf vnc_tls=1. Something similar could be done for spice graphics too If anyone wants to take a stab, I suggest discussing on libvir-list to finalize the XML first.
See https://bugzilla.redhat.com/show_bug.cgi?id=825939#c3 for an example commit extending the XML format and qemu handling
This issue is now tracked at https://gitlab.com/libvirt/libvirt/-/issues/15