[openstack-dev] [Neutron] SSL VPN Implemenatation
Nachi Ueno
nachi at ntti3.com
Tue Apr 29 17:42:52 UTC 2014
Hi Zang
Thank you for your contribution on this!
The private key management is what I want to discuss in the summit.
[1] We are depending DB security, anyway
When we get stolen the private key in the DB, it means we are also
stolen ID/PW for DB.
If we stolen the key, even if we keep the private key secret, the
attacker can connect the NW for anywhere.
[2] How we manage a passcode for encrypting private key?
so even if openvpn supports encripted keys, when we input the passcode?
Vpn process will be launched automatically by neutron-server, so we
need to store it in the memory.
This is same security with plain private key.
For example, most of apache servers using plain private key, I guess.
so the security of ssl-vpn impl depends on db, rpc trasport, file
system security even if we encrypt the private key or not.
may be, we have better way, but I think current design isn't so bad to
prevent get merged.
Best
Nachi
2014-04-28 23:02 GMT-07:00 Zang MingJie <zealot0630 at gmail.com>:
> Hi all:
>
> Currently I'm working on ssl vpn, based on patchsets by Nachi[1] and Rajesh[2]
>
> There are secure issues pointed by mark, that ssl private keys are
> stored plain in database and in config files of vpn-agents. As
> Barbican is incubated, we can store certs and their private keys in
> Barbican. But after checking openvpn configurations, I don't think
> there is any way to prevent storing private key in openvpn config
> files without modify the openvpn implementation.
>
> I have also made several changes, added a optional port field to
> sslvpn-connection table, integrated with service plugin framework
> (I'll follow service flavor framework when it is ready), and completed
> the neutronclient part. It is already developed in our testing
> environment, I'll upload my patch sooner or later.
>
> [1] https://review.openstack.org/#/c/58897/
> [2] https://review.openstack.org/#/c/70274/
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list