openstack team mailing list archive

Thread
Date

Re: Do we need SSL on nova-api ports?

To: Richard Hartmann <richih.mailinglist@xxxxxxxxx>
From: Vishvananda Ishaya <vishvananda@xxxxxxxxx>
Date: Tue, 3 May 2011 11:14:14 -0700
Cc: Kirill Shileev <kshileev@xxxxxxxxxxxxxxxx>, openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BANLkTinSR2wJcxDr1_uTWwKoG00D0uKx=g@mail.gmail.com>

I don't really see any reason for production apps to run on anything other than 80/443.  In dev mode it is nice to have other ports, but I don't really see a reason for special ports in production systems.

Vish

On May 3, 2011, at 10:49 AM, Richard Hartmann wrote:

> On Tue, May 3, 2011 at 08:09, Dirk-Willem van Gulik
> <dirk-willem.van.gulik@xxxxxxxxx> wrote:
> 
>> a)      Make SSL only the default (ideally with client cert on as well).
> 
> Sounds good to me.
> 
> 
>> b)      Postulate that one port lower there is an optional HTTP port (OFF, or tied to localhost).
> 
> The IETF _strongly_ prefers STARTTLS over separate TLS/non-TLS ports.
> If you ever want to get an IANA assignment, you are pretty much
> required to support STARTTLS unless you are working with legacy
> protocols.
> 
> 
> Using STARTTLS and requiring TLS by default seems like a good option
> for the medium term, to me.
> 
> 
> Richard
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

References

Do we need SSL on nova-api ports?
From: Kirill Shileev, 2011-04-25
Re: Do we need SSL on nova-api ports?
From: Dirk-Willem van Gulik, 2011-04-26
Re: Do we need SSL on nova-api ports?
From: Eldar Nugaev, 2011-05-02
Re: Do we need SSL on nova-api ports?
From: Dirk-Willem van Gulik, 2011-05-03
Re: Do we need SSL on nova-api ports?
From: Richard Hartmann, 2011-05-03