1 files changed, 30 insertions, 0 deletions

diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp
index 9dfd97471f..df1749f340 100644
--- a/tools/examples/xend-config.sxp
+++ b/tools/examples/xend-config.sxp
@@ -192,6 +192,36 @@
 # Empty string is no authentication.
 (vncpasswd '')
 
+# The VNC server can be told to negotiate a TLS session
+# to encryption all traffic, and provide x509 cert to
+# clients enalbing them to verify server identity. The
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
+# all support the VNC extension for TLS used in QEMU. The
+# TightVNC/RealVNC/UltraVNC clients do not.
+#
+# To enable this create x509 certificates / keys in the
+# directory /etc/xen/vnc
+#
+#  ca-cert.pem       - The CA certificate
+#  server-cert.pem   - The Server certificate signed by the CA
+#  server-key.pem    - The server private key
+#
+# and then uncomment this next line
+# (vnc-tls 1)
+
+# The certificate dir can be pointed elsewhere..
+#
+# (vnc-x509-cert-dir /etc/xen/vnc)
+
+# The server can be told to request & validate an x509
+# certificate from the client. Only clients with a cert
+# signed by the trusted CA will be able to connect. This
+# is more secure the password auth alone. Passwd auth can
+# used at the same time if desired. To enable client cert
+# checking uncomment this:
+#
+# (vnc-x509-verify 1)
+
 # The default keymap to use for the VM's virtual keyboard
 # when not specififed in VM's configuration
 #(keymap 'en-us')