[openstack-dev] [Neutron][LBaaS] TLS capability - SNI - Extracting SubjectCommonName and/or SubjectAlternativeNames from X509

Carlos Garza carlos.garza at rackspace.com
Tue Jul 15 15:49:22 UTC 2014


On Jul 15, 2014, at 9:24 AM, Evgeny Fedoruk <EvgenyF at Radware.com> wrote:

> The question is about SCN and SAN extraction from X509.
> 1.       Extraction of SCN/ SAN should be done while provisioning and not during TLS handshake
   Yes that makes the most sense. If some strange backend really wants to repeatedly extract this during TLS hand shake
I guess they are free to do this although its pretty brain damaged since the extracted fields will always be the same.

> 2.       Every back-end code/driver must(?) extract SCN and(?) SAN and use it for certificate determination for host

    No need for this to be in driver code. It was my understanding that the X509 was going to be pulled apart in the API code via pyOpenSSL(Which is what I'm working on now). Since we would be validating the key and x509 at the API layer already it made more sense to extract the SubjectAltName and SubjectSN here as well. If you want to do it in the driver as well at least use the same code thats already in the API layer.


>  
> Please give your feedback
>  
> Thanks,
> Evg
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list