Re: [Openstack] Do we need SSL on nova-api ports?

[Dirk-Willem van Gulik]

On 3 May 2011, at 01:34, Eldar Nugaev wrote:

> #1 Replace existed plain http to ssl
> #2 Add additional ports for ssl (save plain http)
> #3 Do nothing

I suggest:

a)      Make SSL only the default (ideally with client cert on as well).

b)      Postulate that one port lower there is an optional HTTP port (OFF, or 
tied to localhost).

        As having those is easy in proxy/behind loadbalancers/behind failover* 
situations.

c)      Postulate a certain header set used in the plain text case to pass on 
the client cert - and use this throughout*.

Thanks,

Dw.

*: Unfortunately - a lot of people follow sites like [1] - and hence end up 
with weird/illegal headers (underscore) such as SSL_CLIENT_S_DN. But then again 
- this is sort of the standard (Oracle, IBM et.al. seem to use some variation 
of WL-Proxy-Client-Cert; with their respective products often worked in the 
name).

1: 
http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
> 
> Eldar
> 
> On Tue, Apr 26, 2011 at 11:27 AM, Dirk-Willem van Gulik
> <dirk-willem.van.gu...@bbc.co.uk> wrote:
>> 
>> On 25 Apr 2011, at 19:47, Kirill Shileev wrote:
>> 
>>> Recently, playing with libcloud against a private openstack installation
>>> we realized that 8773 and 8774 ports listened by openstack-nova-api expect 
>>> plain HTTP.
>>> This is something that is rarely allowed in production installations.
>>> .....
>>> Other option would be making this configurable, although not sure why and 
>>> where the plain HTTP might be justified.
>>> 
>>> Any thoughts, comments?
>> 
>> An important side effect of slapping SSL with client/server certs on pretty 
>> much all connection is that it makes all sort of governance and validation 
>> jobs much easier from an organisational point of view. With more 'reuse' of 
>> existing process and validation.
>> 
>> The attack footprint/exposed estate now splits in three clean realms: 
>> issuing of client cert, security of the TCP and SSL layer - and a specific 
>> model for what happens within that connection. With the latter bound by the 
>> previous two. Furthermore client validation can be done with narly a secret 
>> in sight.
>> 
>> So for those reasons alone - SSLis good.
>> 
>> Dw.
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>> 
>> 
> 
> 
> 
> --
> Eldar
> Skype: eldar.nugaev
> 

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp