In FIPS mode, the 1024 bit RSA key which is hardcoded in the protocol through SpiceLinkReply::pub_key cannot be created, causing any connection attempt to fail as it's unconditionnally generated. However, when using SASL, we don't need that key. Unfortunately, we don't have way of knowing if the client can use SASL or not before the key is generated and sent. In this series, we introduce the use of a client-side SPICE_COMMON_CAP_AUTH_SASL, which indicates that the client will be able to use SASL authentication if needed, and that it does not need SpiceLinkReply::pub_key to be set in this case. This replaces my previous attempt which was much more invasive, and not much better than this approach. This approach has the drawback that fips mode has to use SASL auth as the 1024 bit RSA keys are disabled in such setups. Christophe _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel