openstack team mailing list archive

Thread
Date

Re: Do we need SSL on nova-api ports?

To: Dirk-Willem van Gulik <dirk-willem.van.gulik@xxxxxxxxx>
From: Richard Hartmann <richih.mailinglist@xxxxxxxxx>
Date: Tue, 3 May 2011 19:49:15 +0200
Cc: Kirill Shileev <kshileev@xxxxxxxxxxxxxxxx>, openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <39583FAD-3F23-435C-8C75-29971EB10E5A@bbc.co.uk>

On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik
<dirk-willem.van.gulik@xxxxxxxxx> wrote:

> a)      Make SSL only the default (ideally with client cert on as well).

Sounds good to me.

> b)      Postulate that one port lower there is an optional HTTP port (OFF, or tied to localhost).

The IETF _strongly_ prefers STARTTLS over separate TLS/non-TLS ports.
If you ever want to get an IANA assignment, you are pretty much
required to support STARTTLS unless you are working with legacy
protocols.

Using STARTTLS and requiring TLS by default seems like a good option
for the medium term, to me.

Richard

Follow ups

Re: Do we need SSL on nova-api ports?
From: Vishvananda Ishaya, 2011-05-03
Re: Do we need SSL on nova-api ports?
From: Dirk-WIllem van Gulik, 2011-05-03

References

Do we need SSL on nova-api ports?
From: Kirill Shileev, 2011-04-25
Re: Do we need SSL on nova-api ports?
From: Dirk-Willem van Gulik, 2011-04-26
Re: Do we need SSL on nova-api ports?
From: Eldar Nugaev, 2011-05-02
Re: Do we need SSL on nova-api ports?
From: Dirk-Willem van Gulik, 2011-05-03