[openstack-dev] Keystone TLS Question

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Fri Oct 25 18:31:09 UTC 2013 

Hello again,

It looks to me that TLS is automatically supported by the Keystone Havana. I performed the following curl call and it seems to indicate that Keystone is using TLS. Can anyone validate that Keystone Havana does or does not support TLS?

Thanks,

Mark

root at build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone# curl -v --insecure https://15.253.58.165:35357/v2.0/certificates/signing

* About to connect() to 15.253.58.165 port 35357 (#0)
*   Trying 15.253.58.165... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*        subject: C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone; emailAddress=keystone at openstack.org; CN=Keystone
*        start date: 2013-03-15 01:44:55 GMT
*        expire date: 2013-03-15 01:44:55 GMT
*        common name: Keystone (does not match '15.253.58.165')
*        issuer: serialNumber=5; C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone; emailAddress=keystone at openstack.org; CN=Self Signed
*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /v2.0/certificates/signing HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 15.253.58.165:35357
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
< Content-Length: 973
< Date: Fri, 25 Oct 2013 18:27:52 GMT
<
-----BEGIN CERTIFICATE-----
MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
…
3S9E696tVhWqc+HAW91KgZcIwAgQrxWeC0x5O76Q3MGrxvWwyMHPlsxyL4H67AnI
wq8zJxOFtzvP8rVWrQ3PnzBozXKuU3VLPqAsDI4nDxjqFpVf3LYCFDRueS2EI5xc
5/rt9g==
-----END CERTIFICATE-----
* Connection #0 to host 15.253.58.165 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
root at build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone#




From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Friday, October 25, 2013 8:58 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] Keystone TLS Question

Hello,

Is there any direct TLS support by Keystone other than using the Apache2 front end?

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131025/b8096256/attachment.html>

More information about the OpenStack-dev mailing list