<div dir="ltr">Ok, folks!<div><br></div><div>Per the IRC meeting this morning, we came to the following consensus regarding how TLS certificates are handled, how SAN is handled, and how hostname conflict resolution is handled. I will be responding to all three of the currently ongoing mailing list discussions with this info:</div>
<div><br></div><div><ul><li><span style="color:rgb(0,0,0);white-space:pre-wrap">Driver does not have to use SAN that is passed from API layer, but SAN will be available to drivers at the API layer. This will be mentioned explicitly in the spec.</span><br>
</li><li><font color="#000000"><span style="white-space:pre-wrap">Order is a mandatory attribute. It's intended to be used as a "hint" for hostname conflict resolution, but it's ultimately up to the driver to decide how to resolve the conflict. (In other words, although it is a mandatory attribute in our model, drivers are free to ignore it.)</span></font><br>
</li><li><font color="#000000"><span style="white-space:pre-wrap">Drivers are allowed to vary their behavior when choosing how to implement hostname conflict resolution since there is no single algorithm here that all vendors are able to support. (This is anticipated to be a rare edge case anyway.)</span></font></li>
</ul></div><div>I think Evgeny will be updating the specs to reflect this decision so that it is documented-- we hope to get ultimate approval of the spec in the next day or two.</div><div><br></div><div>Thanks,</div><div>
Stephen</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 16, 2014 at 7:26 PM, Stephen Balukoff <span dir="ltr"><<a href="mailto:sbalukoff@bluebox.net" target="_blank">sbalukoff@bluebox.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Vijay,<div><br></div><div class="gmail_extra"><div class=""><br><br><div class="gmail_quote">On Wed, Jul 16, 2014 at 9:07 AM, Vijay Venkatachalam <span dir="ltr"><<a href="mailto:Vijay.Venkatachalam@citrix.com" target="_blank">Vijay.Venkatachalam@citrix.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Do you know if the SSL/SNI IETF spec details about conflict resolution. I am assuming not.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Because of this ambiguity each backend employs its own mechanism to resolve conflicts.
<u></u><u></u></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There are 3 choices now<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">1.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The LBaaS extension does not allow conflicting certificates to be bound using validation<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Allow each backend conflict resolution mechanism to get into the spec<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">3.</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Does not specify anything in the spec, no mechanism introduced and let the driver deal with it.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Both HA proxy and Radware uses configuration as a mechanism to resolve. Radware uses order while HA Proxy uses externally specified DNS names.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">NetScaler implementation uses the best possible match algorithm
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For ex, let’s say
</span><span lang="EN-AU" style="color:#1f497d">3 certs are bound to the same endpoint with the following SNs</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><a href="http://www.finance.abc.com" target="_blank">www.finance.abc.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">*.<a href="http://finance.abc.com" target="_blank">finance.abc.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">*.*.<a href="http://abc.com" target="_blank">abc.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">If the host request is <a href="http://payroll.finance.abc.com" target="_blank">payroll.finance.abc.com</a> we shall use *.<a href="http://finance.abc.com" target="_blank">finance.abc.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">If it is <a href="http://payroll.engg.abc.com" target="_blank">payroll.engg.abc.com</a> we shall use *.*.<a href="http://abc.com" target="_blank">abc.com</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">NetScaler won’t not allow 2 certs to have the same SN.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <br></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div><span><font color="#888888">
</font></span></div>
</div>
</div>
</div>
</blockquote></div><div><br></div></div><div>Did you mean "CN" as in "Common Name" above?</div><div><br></div><div>In any case, it sounds like:</div><div><br></div><div>1. Conflicts are going to be relatively rare in any case</div>
<div>2. Conflict resolution as such can probably be left to the vendor. Since the Neutron LBaaS reference implementation uses HAProxy, it seems logical that this should be considered "normal" behavior for the Neutron LBaaS service-- though again the slight variations in vendor implementations for conflict resolution are unlikely to cause serious issues for most users.</div>
<div><br></div><div>If NetScaler runs into a situation where the SCN of a cert conflicts with the SCN or SAN of another cert, then perhaps they can return an 'UnsupportedConfigruation' error or whatnot? (I believe we're trying to get the ability to return such errors with the flavor framework, correct?)</div>
<div><br></div><div>In any case, is there any reason to delay going forward with a model and code that:</div><div>A. Uses an 'order' attribute on the SNI-related objects to resolve name conflicts.</div><div>B. Includes a ubiquitous library for extracting SCN and SAN that any driver may use if they don't use the 'order' attribute?</div>
<div><br></div><div>Thanks,</div><div>Stephen</div><div class=""><div><br></div><div><br></div>-- <br><span></span>Stephen Balukoff
<br>Blue Box Group, LLC
<br><a href="tel:%28800%29613-4305%20x807" value="+18006134305" target="_blank">(800)613-4305 x807</a>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><span></span>Stephen Balukoff
<br>Blue Box Group, LLC
<br>(800)613-4305 x807
</div>