[openstack-dev] SSL in Common client
Rob Crittenden
rcritten at redhat.com
Fri May 2 20:30:08 UTC 2014
Dean Troyer wrote:
> On Fri, May 2, 2014 at 2:06 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> I'm trying to get devstack to the point where it can configure all
> the services with SSL so it can be be part of the acceptance
> process. This is for client communication, there is no expectation
> that anyone would deploy native SSL endpoints. For the most part
> things just work. Most of the issues I've run into are server to
> server communication relating to passing in the CA certificate path.
>
>
> FWIW, DevStack has had the ability to do TLS termination using stud for
> all public API services, long before any of the individual service
> SSL/TLS configurations were usable. Using an external TLS termination
> solves the internal communication problem as long as internal services
> are configured properly. It also more closely matches what I have seen
> in real-world deployments.
I'm not particularly worried about the endpoints. What I want to test
are servers acting as clients and the CLI clients to secure endpoints. I
want to ensure that SSL works for those cases where services are running
on separate nodes, however they are secured (natively or with a proxy).
>
> It has been a while since I've tested this and it is likely to need some
> love. The basic structure, including building a root and intermediate CA
> to issue certs that look like real-world certs, has been present for
> almost a year and a half.
I found the basic SSL code in pretty good shape so I suspect that it
still works.
rob
More information about the OpenStack-dev
mailing list