[Openstack] Do we need SSL on nova-api ports?
Richard Hartmann
richih.mailinglist at gmail.com
Tue May 3 17:49:15 UTC 2011
On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik
<dirk-willem.van.gulik at bbc.co.uk> wrote:
> a) Make SSL only the default (ideally with client cert on as well).
Sounds good to me.
> b) Postulate that one port lower there is an optional HTTP port (OFF, or tied to localhost).
The IETF _strongly_ prefers STARTTLS over separate TLS/non-TLS ports.
If you ever want to get an IANA assignment, you are pretty much
required to support STARTTLS unless you are working with legacy
protocols.
Using STARTTLS and requiring TLS by default seems like a good option
for the medium term, to me.
Richard
More information about the Openstack
mailing list