I think part of my misunderstanding is that ovirt-websocket-proxy does a few things behind the scene as it is not the source of the initial connection to ovirt. I am going another route. My proxy are servers which get the console.vv file from ovirt when they are alerted someone wants to make a webview to a particular Vm. at that point it requests the console.vv file from ovirt using rest api and then create the websockify process with a random port which they send back to the requesting app via another secure channel. The receiving app then launches a browser tab connecting the web-spice-client to the address of the webproxy and the port. the http connection is encrypted using a letsencrypt certificate and that is working fine. The part I am having difficulties is the connection part between the web proxy and the ovirt host. Ovirt expect it to be encapsulated in TLS/1.2 if I am not mistaken, but can't figure out how to make websockify to use the cafile, ssl-cyphers and the host-subject to do so. I am missing a part which I think should be simple for someone understanding ssl better than I do Thanks