So - I’ve browsed around a little after pondering the idea of doing crypto at the JS level, but I can’t seem to make the argument and keep a straight face. I did find a JS library [1] that would probably work, but still you’re left with 2 issues: 1) gotta get the library securely to the browser (proper running SSL on the management server), and 2) You’d still need a CA to sign the certs that run on the console proxy/SSVM [2].
So, nix that. It seems like the best way to do this is have security off by default, make sure that’s very obvious to new users, and have a guide on how to get things production-ready. Anyways - we almost have the patch ready, Amogh and I have gone back/forth on the review once or twice, once we get I think just one more issue straightened out we’re good. John 1: https://github.com/digitalbazaar/forge 2: Ya know…we could run a CA on the management server….</securityGeekHumor> On Mar 6, 2014, at 4:53 PM, Kelven Yang <kelven.y...@citrix.com> wrote: > > > On 3/2/14, 8:15 AM, "Paul Angus" <paul.an...@shapeblue.com> wrote: > >> There are a few issues with the current console proxy setup, not least of >> which is the need to have internet access to resolve realhostip.com in >> the first place - so console proxy can't work if you don't have internet >> access on your client. I have configured alternative realhostip.com >> setups for clients - and quite a lot of work goes into creating the >> infrastructure (and certs) to support changing to a user managed >> certificate. >> >> Sooo, is it at all possible to secure communications with the console >> proxy, without having to rely on ANY outside entity? > > > console proxy client is based on AJAX channel provided by browser via > Javascript engine, which leaves the security option to be pretty much on > HTTPS, and it requires a server certificate to start with. So we don¹t > have many choices here. > > -Kelven > > >> >> Testing alone is going to be a pain, if a full ssl cert setup is required >> to use console proxy.. >> >> Regards >> >> Paul Angus >> Cloud Architect >> S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus >> paul.an...@shapeblue.com >> >> -----Original Message----- >> From: Amogh Vasekar [mailto:amogh.vase...@citrix.com] >> Sent: 28 February 2014 23:05 >> To: dev@cloudstack.apache.org >> Subject: Re: [DISCUSS] realhostip.com going away >> >> >> >> On 2/28/14 2:03 PM, "Nux!" <n...@li.nux.ro> wrote: >> >>> There's also the problem of the certificate. It comes bundled in ACS as >>> far as I can tell.. When does it expire? >> >> notBefore=Feb 3 03:30:40 2012 GMT >> notAfter=Feb 7 05:11:23 2017 GMT >> >> Need Enterprise Grade Support for Apache CloudStack? >> Our CloudStack Infrastructure >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers >> the best 24/7 SLA for CloudStack Environments. >> >> Apache CloudStack Bootcamp training courses >> >> **NEW!** CloudStack 4.2.1 >> training<http://shapeblue.com/cloudstack-training/> >> 18th-19th February 2014, Brazil. >> Classroom<http://shapeblue.com/cloudstack-training/> >> 17th-23rd March 2014, Region A. Instructor led, >> On-line<http://shapeblue.com/cloudstack-training/> >> 24th-28th March 2014, Region B. Instructor led, >> On-line<http://shapeblue.com/cloudstack-training/> >> 16th-20th June 2014, Region A. Instructor led, >> On-line<http://shapeblue.com/cloudstack-training/> >> 23rd-27th June 2014, Region B. Instructor led, >> On-line<http://shapeblue.com/cloudstack-training/> >> >> This email and any attachments to it may be confidential and are intended >> solely for the use of the individual to whom it is addressed. Any views >> or opinions expressed are solely those of the author and do not >> necessarily represent those of Shape Blue Ltd or related companies. If >> you are not the intended recipient of this email, you must neither take >> any action based upon its contents, nor copy or show it to anyone. Please >> contact the sender if you believe you have received this email in error. >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >> Services India LLP is a company incorporated in India and is operated >> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is >> a company incorporated in Brasil and is operated under license from Shape >> Blue Ltd. ShapeBlue is a registered trademark. > Stratosec - Compliance as a Service o: 415.315.9385 @johnlkinsella
