[Openstack-security] SSL proxies vs. native SSL support
Nathan Kinder
nkinder at redhat.com
Tue Mar 25 21:29:22 UTC 2014
Hi,
The Security Guide currently recommends that SSL/TLS be used to protect
the API endpoints (as it should). We specifically mention that SSL
proxies should be used for this, as opposed to configuring SSL natively
in the services themselves:
http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html
Is there any particular reason why we don't recommend configuring
SSL/TLS natively in the services? It seems like that would be an ideal
approach, as it eliminates the need for running proxies. It also keeps
access to the unencrypted traffic closer to the actual services that
need to access it, which is better from a security standpoint.
I'm not sure that all of the integrated projects actually have working
native SSL/TLS support, but I know that a number of them claim to have
support. Shouldn't native support be the preferred recommendation from
a security standpoint?
Thanks,
-NGK
More information about the Openstack-security
mailing list