openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #02091
Re: Do we need SSL on nova-api ports?
On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik
<dirk-willem.van.gulik@xxxxxxxxx> wrote:
> a) Make SSL only the default (ideally with client cert on as well).
Sounds good to me.
> b) Postulate that one port lower there is an optional HTTP port (OFF, or tied to localhost).
The IETF _strongly_ prefers STARTTLS over separate TLS/non-TLS ports.
If you ever want to get an IANA assignment, you are pretty much
required to support STARTTLS unless you are working with legacy
protocols.
Using STARTTLS and requiring TLS by default seems like a good option
for the medium term, to me.
Richard
Follow ups
References