----- Original Message ----- > A client setting this capability indicates to the server that it's able > to handle SASL authentication, and it also indicates that if SASL is > to be used for authentication, then it won't expect a valid 'pub_key' field > in SpiceLinkReply. sounds good to me. ack > The reason for making guarantees about not looking at the pub_key field is > that its presence and size is hardcoded in the protocol, but in some > hardened setups (using fips mode), generating a RSA 1024 bit key as > expected is forbidden and fails. With this new capability, the server > knows the client will be able to handle SASL if needed, and can skip > the generation of the key altogether. This means that on the setups > described above, SASL authentication has to be used. > --- > gtk/spice-channel.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c > index 83c7006..1498162 100644 > --- a/gtk/spice-channel.c > +++ b/gtk/spice-channel.c > @@ -114,6 +114,9 @@ static void spice_channel_init(SpiceChannel *channel) > c->remote_common_caps = g_array_new(FALSE, TRUE, sizeof(guint32)); > spice_channel_set_common_capability(channel, > SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION); > spice_channel_set_common_capability(channel, > SPICE_COMMON_CAP_MINI_HEADER); > +#if HAVE_SASL > + spice_channel_set_common_capability(channel, > SPICE_COMMON_CAP_AUTH_SASL); > +#endif > g_queue_init(&c->xmit_queue); > STATIC_MUTEX_INIT(c->xmit_queue_lock); > } > -- > 1.8.5.3 > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel