[Openstack-security] SSL proxies vs. native SSL support
Rob Crittenden
rcritten at redhat.com
Wed Mar 26 13:18:05 UTC 2014
Nathanael Burton wrote:
> +1 to what Bryan said. I prefer to do SSL/TLS in things like Apache,
> nginx, etc because they typically pay much closer attention to SSL
> support, validation, and security (see all the changes to OpenStack
> services to switch out HTTPSConnection for requests). Additionally,
> performance of these are typically much better than SSL in Python (I've
> seen 5-10x or more improvements).
Should the effort then shift to running the services in these real web
servers to take advantage of better SSL performance and not leave an
exposed underbelly?
I'm not sure I follow your reasoning on the HTTPConnection/requests
change though. On the one hand these web servers pay closer attention to
security and yet the OpenStack clients are replacing their insecure
client library. So it seems to me that it is gaining attention. And
really, that is where the big problem is anyway with some clients not
doing any sort of validation now.
Tempest takes a rather strange take on things too, providing a negative
switch, disable_ssl_certificate_validation, but not providing a way to
set the CA cert bundle.
rob
More information about the Openstack-security
mailing list