[openstack-dev] [OSSG] SSL Review
Paul McMillan
paul.mcmillan at nebula.com
Tue Oct 30 17:38:33 UTC 2012
comments inline
________________________________________
From: Clark, Robert Graham [robert.clark at hp.com]
> Fundamental:
> * SSLv3 TLSv1 Minimum
None of the clients which use httplib2 can support TLSv1 without the SSLv23 handshake. Fixing this requires monkeypatching httplib2. Requests does support pure TLSv1 connections.
> Standard:
> * Revocation information is checked (CRL/OCSP)
I believe none of the clients support this. Revocation checking is pretty worthless if you don't enforce a fail-safe operation mode. It's also a bit tricky, since you have to get caching right so you're not making twice as much OCSP traffic as real traffic. I'd put it as a nice-to-have, but wouldn't suggest that the effort-to-reward ratio would make it worth prioritizing over other things.
-Paul
More information about the OpenStack-dev
mailing list