[openstack-dev] SSL in Common client

Rob Crittenden rcritten at redhat.com
Fri May 2 20:30:08 UTC 2014


Dean Troyer wrote:
> On Fri, May 2, 2014 at 2:06 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     I'm trying to get devstack to the point where it can configure all
>     the services with SSL so it can be be part of the acceptance
>     process. This is for client communication, there is no expectation
>     that anyone would deploy native SSL endpoints. For the most part
>     things just work. Most of the issues I've run into are server to
>     server communication relating to passing in the CA certificate path.
>
>
> FWIW, DevStack has had the ability to do TLS termination using stud for
> all public API services, long before any of the individual service
> SSL/TLS configurations were usable.  Using an external TLS termination
> solves the internal communication problem as long as internal services
> are configured properly.  It also more closely matches what I have seen
> in real-world deployments.

I'm not particularly worried about the endpoints. What I want to test 
are servers acting as clients and the CLI clients to secure endpoints. I 
want to ensure that SSL works for those cases where services are running 
on separate nodes, however they are secured (natively or with a proxy).

>
> It has been a while since I've tested this and it is likely to need some
> love. The basic structure, including building a root and intermediate CA
> to issue certs that look like real-world certs, has been present for
> almost a year and a half.

I found the basic SSL code in pretty good shape so I suspect that it 
still works.

rob



More information about the OpenStack-dev mailing list