[openstack-dev] Keystone TLS Question

Adam Young ayoung at redhat.com
Wed Oct 30 02:22:31 UTC 2013 

On 10/25/2013 02:31 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) 
wrote:
>
> Hello again,
>
> It looks to me that TLS is automatically supported by the Keystone 
> Havana. I performed the following curl call and it seems to indicate 
> that Keystone is using TLS. Can anyone validate that Keystone Havana 
> does or does not support TLS?
>
Yep, but don't take my word for it, Read the docs:

https://github.com/openstack/keystone/blob/master/doc/source/configuration.rst#ssl




> Thanks,
>
> Mark
>
> root at build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone# curl -v --insecure 
> https://15.253.58.165:35357/v2.0/certificates/signing
>
> * About to connect() to 15.253.58.165 port 35357 (#0)
>
> * Trying 15.253.58.165... connected
>
> * successfully set certificate verify locations:
>
> * CAfile: none
>
> CApath: /etc/ssl/certs
>
> * SSLv3, TLS handshake, Client hello (1):
>
> * SSLv3, TLS handshake, Server hello (2):
>
> * SSLv3, TLS handshake, CERT (11):
>
> * SSLv3, TLS handshake, Server finished (14):
>
> * SSLv3, TLS handshake, Client key exchange (16):
>
> * SSLv3, TLS change cipher, Client hello (1):
>
> * SSLv3, TLS handshake, Finished (20):
>
> * SSLv3, TLS change cipher, Client hello (1):
>
> * SSLv3, TLS handshake, Finished (20):
>
> * SSL connection using AES256-SHA
>
> * Server certificate:
>
> * subject: C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone; 
> emailAddress=keystone at openstack.org; CN=Keystone
>
> * start date: 2013-03-15 01:44:55 GMT
>
> * expire date: 2013-03-15 01:44:55 GMT
>
> * common name: Keystone (does not match '15.253.58.165')
>
> * issuer: serialNumber=5; C=US; ST=CA; L=Sunnyvale; O=OpenStack; 
> OU=Keystone; emailAddress=keystone at openstack.org; CN=Self Signed
>
> * SSL certificate verify result: unable to get local issuer 
> certificate (20), continuing anyway.
>
> > GET /v2.0/certificates/signing HTTP/1.1
>
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>
> > Host: 15.253.58.165:35357
>
> > Accept: */*
>
> >
>
> < HTTP/1.1 200 OK
>
> < Content-Type: text/html; charset=UTF-8
>
> < Content-Length: 973
>
> < Date: Fri, 25 Oct 2013 18:27:52 GMT
>
> <
>
> -----BEGIN CERTIFICATE-----
>
> MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
>
> BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
>
> EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
>
> ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
>
> ...
>
> 3S9E696tVhWqc+HAW91KgZcIwAgQrxWeC0x5O76Q3MGrxvWwyMHPlsxyL4H67AnI
>
> wq8zJxOFtzvP8rVWrQ3PnzBozXKuU3VLPqAsDI4nDxjqFpVf3LYCFDRueS2EI5xc
>
> 5/rt9g==
>
> -----END CERTIFICATE-----
>
> * Connection #0 to host 15.253.58.165 left intact
>
> * Closing connection #0
>
> * SSLv3, TLS alert, Client hello (1):
>
> root at build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone#
>
> *From:*Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Sent:* Friday, October 25, 2013 8:58 AM
> *To:* OpenStack Development Mailing List
> *Subject:* [openstack-dev] Keystone TLS Question
>
> Hello,
>
> Is there any direct TLS support by Keystone other than using the 
> Apache2 front end?
>
> Mark
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131029/82a8b669/attachment.html>

More information about the OpenStack-dev mailing list