[Openstack] Do we need SSL on nova-api ports?
Dirk-WIllem van Gulik
dirk-willem.van.gulik at bbc.co.uk
Tue May 3 17:53:32 UTC 2011
On 3 May 2011, at 18:49, Richard Hartmann wrote:
> On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik
> <dirk-willem.van.gulik at bbc.co.uk> wrote:
>
> > a) Make SSL only the default (ideally with client cert on as well).
>
> Sounds good to me.
>
> > b) Postulate that one port lower there is an optional HTTP port (OFF, or tied to localhost).
>
> The IETF _strongly_ prefers STARTTLS over separate TLS/non-TLS ports.
> If you ever want to get an IANA assignment, you are pretty much
> required to support STARTTLS unless you are working with legacy
> protocols.
>
Actally - that is a very good point for anything non REST/http.
> Using STARTTLS and requiring TLS by default seems like a good option
> for the medium term, to me.
>
Right - but I think it is fair to assume that any IAB concerns would only apply to two way chatty protocols. A pure 'rest' one-shot stateless protocol would not be burdened with a STARTTLS and all the risks that entails.
Dw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110503/6db83ce0/attachment.html>
More information about the Openstack
mailing list