On 10/25/2013 02:31 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
Hello again,
It looks to me that TLS is automatically supported by the Keystone
Havana. I performed the following curl call and it seems to indicate
that Keystone is using TLS. Can anyone validate that Keystone Havana
does or does not support TLS?
Yep, but don't take my word for it, Read the docs:
https://github.com/openstack/keystone/blob/master/doc/source/configuration.rst#ssl
Thanks,
Mark
root@build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone# curl -v --insecure
https://15.253.58.165:35357/v2.0/certificates/signing
* About to connect() to 15.253.58.165 port 35357 (#0)
* Trying 15.253.58.165... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone;
[email protected]; CN=Keystone
* start date: 2013-03-15 01:44:55 GMT
* expire date: 2013-03-15 01:44:55 GMT
* common name: Keystone (does not match '15.253.58.165')
* issuer: serialNumber=5; C=US; ST=CA; L=Sunnyvale; O=OpenStack;
OU=Keystone; [email protected]; CN=Self Signed
* SSL certificate verify result: unable to get local issuer
certificate (20), continuing anyway.
> GET /v2.0/certificates/signing HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 15.253.58.165:35357
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Content-Length: 973
< Date: Fri, 25 Oct 2013 18:27:52 GMT
<
-----BEGIN CERTIFICATE-----
MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
...
3S9E696tVhWqc+HAW91KgZcIwAgQrxWeC0x5O76Q3MGrxvWwyMHPlsxyL4H67AnI
wq8zJxOFtzvP8rVWrQ3PnzBozXKuU3VLPqAsDI4nDxjqFpVf3LYCFDRueS2EI5xc
5/rt9g==
-----END CERTIFICATE-----
* Connection #0 to host 15.253.58.165 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
root@build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone#
*From:*Miller, Mark M (EB SW Cloud - R&D - Corvallis)
*Sent:* Friday, October 25, 2013 8:58 AM
*To:* OpenStack Development Mailing List
*Subject:* [openstack-dev] Keystone TLS Question
Hello,
Is there any direct TLS support by Keystone other than using the
Apache2 front end?
Mark
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
