[openstack-dev] [Neutron][LBaaS] SSL Termination write-up

Vijay Venkatachalam Vijay.Venkatachalam at citrix.com
Wed Nov 20 11:14:12 UTC 2013 

Hi,

	Replies Inline!

> -----Original Message-----
> From: Stephen Gran [mailto:stephen.gran at guardian.co.uk]
> Sent: Wednesday, November 20, 2013 2:59 PM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Neutron][LBaaS] SSL Termination write-up
> 
> Hi,
> 
> Yes, definitely yes.
> 
> It's just a bootstrap problem - you can't both have a reliable, resilient
> loadbalancer that can be respawned, and not store all the data necessary to
> respawn it.
> 

Not necessarily. Devices can be in HA or clustering mode. Any configuration that is 
sent to one device will be synced with other paired devices securely and would also
failover at the right time.

> I agree there are privacy concerns, just as there are with any hoster.
> But if you don't trust your hoster with your SSL certs, you probably shouldn't
> host any content that matters with them.
> 

I am no way expert in this area, but I think it is not a question of trust but it is a fear that 
a security loophole in the controller could be exploited to read the certificates. 

I don't know of any concerns though.

> Cheers,
> 
> On Wed, 2013-11-20 at 08:43 +0000, Samuel Bercovici wrote:
> > Hi Stephen,
> >
> > When this was discussed in the past, customer were not happy about
> storing their SSL certificates in the OpenStack database as plain fields as they
> felt that this is not secured enough.
> > Do you say, that you are OK with storing SSL certificates in  the OpenStack
> database?
> >
> > -Sam.
> >
> >
> > -----Original Message-----
> > From: Stephen Gran [mailto:stephen.gran at theguardian.com]
> > Sent: Wednesday, November 20, 2013 10:15 AM
> > To: openstack-dev at lists.openstack.org
> > Subject: Re: [openstack-dev] [Neutron][LBaaS] SSL Termination write-up
> >
> > On 19/11/13 16:33, Clint Byrum wrote:
> > > Excerpts from Vijay Venkatachalam's message of 2013-11-19 05:48:43 -
> 0800:
> > >> Hi Sam, Eugene,&  Avishay, etal,
> > >>
> > >>                  Today I spent some time to create a write-up for SSL
> Termination not exactly design doc. Please share your comments!
> > >>
> > >>
> https://docs.google.com/document/d/1tFOrIa10lKr0xQyLVGsVfXr29NQBq2n
> > >> YT
> > >> vMkMJ_inbo/edit
> > >>
> > >> Would like comments/discussion especially on the following note:
> > >>
> > >> SSL Termination requires certificate management. The ideal way is to
> handle this via an independent IAM service. This would take time to
> implement so the thought was to add the certificate details in VIP resource
> and send them directly to device. Basically don't store the certificate key in
> the DB there by avoiding security concerns of maintaining certificates in
> controller.
> >
> > I don't see why it does.  Nothing in openstack needs to trust user-uploaded
> certs.  Just storing them as independent certificate objects that can be
> referenced by N VIPs makes sense to me.
> >
> > If the backend is SSL, I would think you could do one of:
> > a) upload client certs
> > b) upload CA that has signed backend certs
> > c) opt to disable cert checking for backends
> >
> > With the default being c).
> >
> > Cheers,
> > --
> > Stephen Gran
> > Senior Systems Integrator - theguardian.com Please consider the
> environment before printing this email.
> > ------------------------------------------------------------------
> > Visit theguardian.com
> >
> > On your mobile, download the Guardian iPhone app
> theguardian.com/iphone and our iPad edition theguardian.com/iPad
> > Save up to 33% by subscribing to the Guardian and Observer - choose the
> papers you want and get full digital access.
> > Visit subscribe.theguardian.com
> >
> > This e-mail and all attachments are confidential and may also be privileged.
> If you are not the named recipient, please notify the sender and delete the
> e-mail and all attachments immediately.
> > Do not disclose the contents to another person. You may not use the
> information for any purpose, or store, or copy, it in any way.
> >
> > Guardian News & Media Limited is not liable for any computer viruses or
> other material transmitted with or as part of this e-mail. You should employ
> virus checking software.
> >
> > Guardian News & Media Limited
> >
> > A member of Guardian Media Group plc
> > Registered Office
> > PO Box 68164
> > Kings Place
> > 90 York Way
> > London
> > N1P 2AP
> >
> > Registered in England Number 908396
> >
> > ----------------------------------------------------------------------
> > ----
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> --
> Stephen Gran
> Senior Systems Integrator - The Guardian
> 
> Please consider the environment before printing this email.
> ------------------------------------------------------------------
> Visit theguardian.com
> 
> On your mobile, download the Guardian iPhone app
> theguardian.com/iphone and our iPad edition theguardian.com/iPad
> Save up to 33% by subscribing to the Guardian and Observer - choose the
> papers you want and get full digital access.
> Visit subscribe.theguardian.com
> 
> This e-mail and all attachments are confidential and may also be privileged. If
> you are not the named recipient, please notify the sender and delete the e-
> mail and all attachments immediately.
> Do not disclose the contents to another person. You may not use the
> information for any purpose, or store, or copy, it in any way.
> 
> Guardian News & Media Limited is not liable for any computer viruses or
> other material transmitted with or as part of this e-mail. You should employ
> virus checking software.
> 
> Guardian News & Media Limited
> 
> A member of Guardian Media Group plc
> Registered Office
> PO Box 68164
> Kings Place
> 90 York Way
> London
> N1P 2AP
> 
> Registered in England Number 908396
> 
> --------------------------------------------------------------------------
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list