Dean Troyer wrote:
On Fri, May 2, 2014 at 2:06 PM, Rob Crittenden <[email protected] <mailto:[email protected]>> wrote:I'm trying to get devstack to the point where it can configure all the services with SSL so it can be be part of the acceptance process. This is for client communication, there is no expectation that anyone would deploy native SSL endpoints. For the most part things just work. Most of the issues I've run into are server to server communication relating to passing in the CA certificate path. FWIW, DevStack has had the ability to do TLS termination using stud for all public API services, long before any of the individual service SSL/TLS configurations were usable. Using an external TLS termination solves the internal communication problem as long as internal services are configured properly. It also more closely matches what I have seen in real-world deployments.
I'm not particularly worried about the endpoints. What I want to test are servers acting as clients and the CLI clients to secure endpoints. I want to ensure that SSL works for those cases where services are running on separate nodes, however they are secured (natively or with a proxy).
It has been a while since I've tested this and it is likely to need some love. The basic structure, including building a root and intermediate CA to issue certs that look like real-world certs, has been present for almost a year and a half.
I found the basic SSL code in pretty good shape so I suspect that it still works.
rob _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
