subject:"\[openstack\-dev\] \[tripleo\] TLS by default"

Re: [openstack-dev] [tripleo] TLS by default

2018-03-15 Thread Dmitry Tantsur


On 03/15/2018 12:51 AM, Julia Kreger wrote:

On Wed, Mar 14, 2018 at 4:52 AM, Dmitry Tantsur  wrote:

Just to clarify: only for public endpoints, right? I don't think e.g.
ironic-python-agent can talk to self-signed certificates yet.




For what it is worth, it is possible for IPA to speak to a self signed
certificate, although it requires injecting the signing private CA
certificate into the ramdisk or iso image that is being used. There
are a few other options that can be implemented, but those may also
lower overall security posture.


Yep, that's the problem.

We can quite easily make IPA talk to custom https.

We cannot securely make IPA expose an https endpoint without using virtual media 
(not supported by tripleo, vendor-specific).


We cannot (IIUC) make iPXE use https with custom certificates without rebuilding 
the firmware from source.




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo] TLS by default

2018-03-14 Thread Julia Kreger

On Wed, Mar 14, 2018 at 4:52 AM, Dmitry Tantsur  wrote:
> Just to clarify: only for public endpoints, right? I don't think e.g.
> ironic-python-agent can talk to self-signed certificates yet.
>
>

For what it is worth, it is possible for IPA to speak to a self signed
certificate, although it requires injecting the signing private CA
certificate into the ramdisk or iso image that is being used. There
are a few other options that can be implemented, but those may also
lower overall security posture.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo] TLS by default

2018-03-14 Thread Juan Antonio Osorio

Correct, only public endpoints.

On Wed, Mar 14, 2018 at 1:52 PM, Dmitry Tantsur  wrote:

> Just to clarify: only for public endpoints, right? I don't think e.g.
> ironic-python-agent can talk to self-signed certificates yet.
>
>
> On 03/14/2018 07:03 AM, Juan Antonio Osorio wrote:
>
>> Hello,
>>
>> As part of the proposed changed by the Security Squad [1], we'd like the
>> deployment to use TLS by default.
>>
>> The first target is to get the undercloud to use it, so a patch has been
>> proposed recently [2] [3]. So, just wanted to give a heads up to people.
>>
>> This should be just fine from a quickstart/testing point of view, since
>> we explicitly set the value for autogenerating certificates in the
>> undercloud [4] [5].
>>
>> Note that there are also plans to change these defaults for the
>> containerized undercloud and the overcloud.
>>
>> BR
>>
>> [1] https://etherpad.openstack.org/p/tripleo-security-squad
>> [2] https://review.openstack.org/#/c/552382/
>> [3] https://review.openstack.org/552781
>> [4] https://github.com/openstack/tripleo-quickstart-extras/blob/
>> master/roles/extras-common/defaults/main.yml#L15
>> [5] https://github.com/openstack/tripleo-quickstart-extras/blob/
>> master/roles/undercloud-deploy/templates/undercloud.conf.j2#L117
>> --
>> Juan Antonio Osorio R.
>> e-mail: jaosor...@gmail.com 
>>
>>
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Juan Antonio Osorio R.
e-mail: jaosor...@gmail.com
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo] TLS by default

2018-03-14 Thread Dmitry Tantsur

Just to clarify: only for public endpoints, right? I don't think e.g. 
ironic-python-agent can talk to self-signed certificates yet.


On 03/14/2018 07:03 AM, Juan Antonio Osorio wrote:

Hello,

As part of the proposed changed by the Security Squad [1], we'd like the 
deployment to use TLS by default.


The first target is to get the undercloud to use it, so a patch has been 
proposed recently [2] [3]. So, just wanted to give a heads up to people.


This should be just fine from a quickstart/testing point of view, since we 
explicitly set the value for autogenerating certificates in the undercloud [4] [5].


Note that there are also plans to change these defaults for the containerized 
undercloud and the overcloud.


BR

[1] https://etherpad.openstack.org/p/tripleo-security-squad
[2] https://review.openstack.org/#/c/552382/
[3] https://review.openstack.org/552781
[4] 
https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/extras-common/defaults/main.yml#L15
[5] 
https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/undercloud-deploy/templates/undercloud.conf.j2#L117

--
Juan Antonio Osorio R.
e-mail: jaosor...@gmail.com 



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [tripleo] TLS by default

2018-03-14 Thread Juan Antonio Osorio

Hello,

As part of the proposed changed by the Security Squad [1], we'd like the
deployment to use TLS by default.

The first target is to get the undercloud to use it, so a patch has been
proposed recently [2] [3]. So, just wanted to give a heads up to people.

This should be just fine from a quickstart/testing point of view, since we
explicitly set the value for autogenerating certificates in the undercloud
[4] [5].

Note that there are also plans to change these defaults for the
containerized undercloud and the overcloud.

BR

[1] https://etherpad.openstack.org/p/tripleo-security-squad
[2] https://review.openstack.org/#/c/552382/
[3] https://review.openstack.org/552781
[4]
https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/extras-common/defaults/main.yml#L15
[5]
https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/undercloud-deploy/templates/undercloud.conf.j2#L117
-- 
Juan Antonio Osorio R.
e-mail: jaosor...@gmail.com
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tripleo] TLS by default

Re: [openstack-dev] [tripleo] TLS by default

Re: [openstack-dev] [tripleo] TLS by default

Re: [openstack-dev] [tripleo] TLS by default

[openstack-dev] [tripleo] TLS by default

5 matches

Site Navigation

Mail list logo

Footer information