[openstack-dev] [Neutron][LBaaS] SSL Termination write-up

Stephen Gran stephen.gran at theguardian.com
Wed Nov 20 08:14:48 UTC 2013

On 19/11/13 16:33, Clint Byrum wrote:
> Excerpts from Vijay Venkatachalam's message of 2013-11-19 05:48:43 -0800:
>> Hi Sam, Eugene,&  Avishay, etal,
>>                  Today I spent some time to create a write-up for SSL Termination not exactly design doc. Please share your comments!
>> https://docs.google.com/document/d/1tFOrIa10lKr0xQyLVGsVfXr29NQBq2nYTvMkMJ_inbo/edit
>> Would like comments/discussion especially on the following note:
>> SSL Termination requires certificate management. The ideal way is to handle this via an independent IAM service. This would take time to implement so the thought was to add the certificate details in VIP resource and send them directly to device. Basically don't store the certificate key in the DB there by avoiding security concerns of maintaining certificates in controller.

I don't see why it does.  Nothing in openstack needs to trust 
user-uploaded certs.  Just storing them as independent certificate 
objects that can be referenced by N VIPs makes sense to me.

If the backend is SSL, I would think you could do one of:
a) upload client certs
b) upload CA that has signed backend certs
c) opt to disable cert checking for backends

With the default being c).

Stephen Gran
Senior Systems Integrator - theguardian.com
Please consider the environment before printing this email.
Visit theguardian.com   

On your mobile, download the Guardian iPhone app theguardian.com/iphone and our iPad edition theguardian.com/iPad   
Save up to 33% by subscribing to the Guardian and Observer - choose the papers you want and get full digital access.
Visit subscribe.theguardian.com

This e-mail and all attachments are confidential and may also
be privileged. If you are not the named recipient, please notify
the sender and delete the e-mail and all attachments immediately.
Do not disclose the contents to another person. You may not use
the information for any purpose, or store, or copy, it in any way.
Guardian News & Media Limited is not liable for any computer
viruses or other material transmitted with or as part of this
e-mail. You should employ virus checking software.
Guardian News & Media Limited
A member of Guardian Media Group plc
Registered Office
PO Box 68164
Kings Place
90 York Way
Registered in England Number 908396


More information about the OpenStack-dev mailing list