<div dir="ltr">Evgeny--<div><br></div><div>Two minor nits:</div><div><br></div><div>* Your spec lists the new SNI related settings 'sni_list' (and it contains more than just IDs, so calling it '<span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px">sni_container_ids_list' is misleading). Please be precise in the terms you use, and don't switch them mid discussion. :)</span></div>

<div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px">* Also, I personally really hate long table names when they're unnecessary. "</span><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px">vipsniassociations" isn't mentioned in your spec anywhere, and frankly, is a lot worse than "sni_list." I personally prefer "SNIPolicies", but I'm also OK with a short name like "sni_list".</span></div>

<div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px"><br></span></div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px">Otherwise I agree with you on all points.</span></div>

<div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px"><br></span></div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px">Stephen</span></div>

<div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px"><br></span></div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px"><br>

</span></div><div><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.399999618530273px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 24, 2014 at 3:26 AM, Evgeny Fedoruk <span dir="ltr"><<a href="mailto:EvgenyF@radware.com" target="_blank">EvgenyF@radware.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Vijay, there is no intension for a new TLS settings API.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Creation of a listener with TLS offloading will be one-step.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">When tenant creates listener with TERMINATED-HTTPS protocol he must supply default_tls_container_id for offloading.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Not supplying default TLS container id for offloading for TERMINATED-HTTPS listener will raise an error.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">SNI list may or may not be supplied by the tenant. Default value for SNI certificates list is an empty list.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">So listener resource will have another two attributes: default_tls_container_id and sni_container_ids_list. These are relevant for TERMINATED-HTTPS protocol

 listeners only. In other cases its default value are ‘None’ and empty list.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In schema, Default_tls_container_id will be added to listener object as another column.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Sni_container_ids_list wil be managed by new table “vipsniassociations” which has listener_id, container_id, and position (for ordering) columns<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Does it make sense?<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Evg<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<div>

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Vijay Venkatachalam [mailto:<a href="mailto:Vijay.Venkatachalam@citrix.com" target="_blank">Vijay.Venkatachalam@citrix.com</a>]

<br>

<b>Sent:</b> Tuesday, June 24, 2014 12:31 PM</span></p><div><div class="h5"><br>

<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>

<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS] Should TLS settings for listener be set through separate API/model?<u></u><u></u></div></div><p></p>

</div>

</div><div><div class="h5">

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">To clarify, the request is for a new TLS settings API with “default_tls_container_id” & “sni_list”.  <u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">               

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If there is a new API, then we would have an object model reflecting this as a separate entity.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The tenant would do the following<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">1.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Create a listener with TERMINATED_HTTPS

<u></u><u></u></span></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Set the TLS settings for the listener using /v2.0/listener/<listenerid>/tlssettings  (if at all we are having some default values this can be reflected here)<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The only good thing is the separation of the TLS settings out of the listener API.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">But, I can see 2 downsides

<u></u><u></u></span></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">1.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The loadbalancer creation is a 2 step procedure

<u></u><u></u></span></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We cannot enforce certificate attachment as part of the create of listener.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If the new API itself has “-1”s then I am perfectly OK with the current object model with default_tls_container_id in listener table.<u></u><u></u></span></p>

<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Vijay V.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Evgeny Fedoruk [<a href="mailto:EvgenyF@Radware.com" target="_blank">mailto:EvgenyF@Radware.com</a>]

<br>

<b>Sent:</b> Tuesday, June 24, 2014 2:19 PM<br>

<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>

<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS] Should TLS settings for listener be set through separate API/model?<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";color:#008800;background:#ddffdd">Vipsniassociations table:

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Line 147 in last patch of the document<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<div>

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Vijay Venkatachalam [<a href="mailto:Vijay.Venkatachalam@citrix.com" target="_blank">mailto:Vijay.Venkatachalam@citrix.com</a>]

<br>

<b>Sent:</b> Tuesday, June 24, 2014 10:17 AM<br>

<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>

<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS] Should TLS settings for listener be set through separate API/model?<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">>>SNI list is managed by separate entity<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What is this entity?<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Evgeny Fedoruk [<a href="mailto:EvgenyF@Radware.com" target="_blank">mailto:EvgenyF@Radware.com</a>]

<br>

<b>Sent:</b> Tuesday, June 24, 2014 12:25 PM<br>

<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>

<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS] Should TLS settings for listener be set through separate API/model?<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">+1 for option 1. SNI list is managed by separate entity, default TLS container is part of a listener object. It will have None value when listener does not

 offloads TLS.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Managing another entity for 1:0-1 relationship just for future use seems not right to me. Breaking TLS settings apart from listener can be done when needed,

 if needed.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Evg<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Stephen Balukoff [<a href="mailto:sbalukoff@bluebox.net" target="_blank">mailto:sbalukoff@bluebox.net</a>]

<br>

<b>Sent:</b> Tuesday, June 24, 2014 4:26 AM<br>

<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>

<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS] Should TLS settings for listener be set through separate API/model?<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">Ok, so we've got opinions on both sides of the argument here. I'm actually pretty ambivalent about it. Do others have strong opinions on this?<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>

<div>

<p class="MsoNormal">On Mon, Jun 23, 2014 at 6:03 PM, Doug Wiegley <<a href="mailto:dougw@a10networks.com" target="_blank">dougw@a10networks.com</a>> wrote:<u></u><u></u></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Put me down for being in favor of option 1.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">A single attribute in a 1:1 relationship?  Putting that in a new table sounds like premature optimization to me; design the database change for the future feature

 when you can see the spec for it.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Thanks,<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Doug<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">From:

</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Stephen Balukoff <<a href="mailto:sbalukoff@bluebox.net" target="_blank">sbalukoff@bluebox.net</a>><br>

<b>Reply-To: </b>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>

<b>Date: </b>Monday, June 23, 2014 at 5:25 PM<br>

<b>To: </b>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>

<b>Subject: </b>Re: [openstack-dev] [Neutron][LBaaS] Should TLS settings for listener be set through separate API/model?<u></u><u></u></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Also to add to pros for 2:

<u></u><u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">* Keeping the TLS stuff contained to its own objects means we can have separate development resources on each and not worry as much about overlapping domains.

 (TLS-related knowledge and knowledge of dealing with TCP / UDP listeners are separate knowledge domains. Or at least, the former is a more specialized subset of the latter.)<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Note that what we're proposing means there's essentially a 1:0-1 relationship between Listener and this new yet-to-be-named object. (0 in case the Listener is

 not terminating TLS.)<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Stephen<u></u><u></u></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">On Mon, Jun 23, 2014 at 3:38 PM, Brandon Logan <<a href="mailto:brandon.logan@rackspace.com" target="_blank">brandon.logan@rackspace.com</a>> wrote:<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Whoops, [Neutron][LBaaS] got taken out of the subject line here.<br>

Putting it back in.<u></u><u></u></span></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><br>

On Mon, 2014-06-23 at 21:10 +0000, Brandon Logan wrote:<br>

> Okay so we've talked a bit about this in IRC and now I'm sending this<br>

> out as an update.  Here are the options with pros and cons that have<br>

> come from that discussion.<br>

><br>

> 1) default_certificate_id is an attribute of the Listener object.<br>

><br>

> Pros:<br>

> -No extra entity needed<br>

><br>

> Cons:<br>

> -May bloat Listener object when more attributes are needed for only TLS<br>

> termination.  Sounds like TLS version and cipher selection will be<br>

> needed attributes in the future.<br>

><br>

><br>

> 2) A separate TLS Entity is created that is referenced by the Listener<br>

> object.  This entity at first may only contain a certificate_id that<br>

> references barbican.  Name and description can be allowed as well.<br>

><br>

> Pros:<br>

> -TLS domain specific attributes contained in its own entity<br>

> -Future attributes would just be added to this entity and not bloat the<br>

> Listener object.<br>

><br>

> Cons:<br>

> -It's another entity<br>

><br>

> In IRC we (sbalukoff, myself) seemed to agree option 2 is right way to<br>

> go.  Anyone agree or disagree?<br>

><br>

> Thanks,<br>

> Brandon<br>

><br>

> On Mon, 2014-06-23 at 12:15 -0700, Stephen Balukoff wrote:<br>

> > The separate entity makes sense for certificates participating in an<br>

> > SNI configuration, but probably not so much for the 'default'<br>

> > certificate used when TLS is being terminated.<br>

> ><br>

> ><br>

> > Vijay: You're also right that other TLS-related attributes will<br>

> > probably get added to the Listener object. This probably makes sense<br>

> > if they apply to the Listener object as a whole. (This includes things<br>

> > like TLS version and cipher selection.)<br>

> ><br>

> ><br>

> > I don't see much of a point in creating a separate object to contain<br>

> > these fields, since it would have a 1:1 relationship with the<br>

> > Listener. It's true that for non-TLS-terminated Listeners, these<br>

> > fields wouldn't be used, but isn't that already the case in many other<br>

> > objects (not just in the Neutron LBaaS sub project)?<br>

> ><br>

> ><br>

> > Thanks,<br>

> > Stephen<br>

> ><br>

> ><br>

> ><br>

> ><br>

> ><br>

> ><br>

> > On Mon, Jun 23, 2014 at 9:54 AM, Brandon Logan<br>

> > <<a href="mailto:brandon.logan@rackspace.com" target="_blank">brandon.logan@rackspace.com</a>> wrote:<br>

> >         Vijay,<br>

> >         I think the separate entity is still going to happen.  I don't<br>

> >         think it<br>

> >         has remvoed.  Or that is may just be my assumption.<br>

> ><br>

> >         Thanks,<br>

> >         Brandon<br>

> ><br>

> >         On Mon, 2014-06-23 at 15:59 +0000, Vijay Venkatachalam wrote:<br>

> >         > Hi:<br>

> >         ><br>

> >         ><br>

> >         > In the “LBaaS TLS termination capability specification”<br>

> >         proposal<br>

> >         ><br>

> >         > <a href="https://review.openstack.org/#/c/98640/" target="_blank">https://review.openstack.org/#/c/98640/</a><br>

> >         ><br>

> >         > TLS settings like default certificate container id and SNI<br>

> >         cert list are part of the listener properties.<br>

> >         ><br>

> >         > I think it is better to have this as a separate entity so<br>

> >         that the listener properties are clean and is not “corrupted”<br>

> >         with TLS settings.<br>

> >         ><br>

> >         > I liked the original SSL proposal better where TLS settings<br>

> >         was a separate entity.<br>

> >         ><br>

> >         > It is just 2 properties now but in future the TLS settings<br>

> >         would grow and if we are going to introduce a TLS<br>

> >         profile/params/settings entity later, it is better to do it<br>

> >         now (albeit with min properties).<br>

> >         ><br>

> >         > Thanks,<br>

> >         > Vijay V.<br>

> ><br>

> >         > _______________________________________________<br>

> >         > OpenStack-dev mailing list<br>

> >         > <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">

OpenStack-dev@lists.openstack.org</a><br>

> >         ><br>

> >         <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

> ><br>

> >         _______________________________________________<br>

> >         OpenStack-dev mailing list<br>

> >         <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

> >         <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

> ><br>

> ><br>

> ><br>

> ><br>

> > --<br>

> > Stephen Balukoff<br>

> > Blue Box Group, LLC<br>

> > <a href="tel:%28800%29613-4305%20x807" target="_blank">(800)613-4305 x807</a><br>

> > _______________________________________________<br>

> > OpenStack-dev mailing list<br>

> > <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

><br>

> _______________________________________________<br>

> OpenStack-dev mailing list<br>

> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></span></p>

</div>

</div>

</div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><br>

<br clear="all">

<u></u><u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">--

<br>

Stephen Balukoff <br>

Blue Box Group, LLC <br>

<a href="tel:%28800%29613-4305%20x807" target="_blank">(800)613-4305 x807</a> <u></u>

<u></u></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>

</div>

<p class="MsoNormal"><br>

<br clear="all">

<u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<p class="MsoNormal">-- <br>

Stephen Balukoff <br>

Blue Box Group, LLC <br>

<a href="tel:%28800%29613-4305%20x807" value="+18006134305" target="_blank">(800)613-4305 x807</a> <u></u><u></u></p>

</div>

</div>

</div>

</div></div></div>

</div>

<br>_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><span></span>Stephen Balukoff

<br>Blue Box Group, LLC

<br>(800)613-4305 x807

</div>