Hi Zang Thank you for your contribution on this! The private key management is what I want to discuss in the summit.
[1] We are depending DB security, anyway When we get stolen the private key in the DB, it means we are also stolen ID/PW for DB. If we stolen the key, even if we keep the private key secret, the attacker can connect the NW for anywhere. [2] How we manage a passcode for encrypting private key? so even if openvpn supports encripted keys, when we input the passcode? Vpn process will be launched automatically by neutron-server, so we need to store it in the memory. This is same security with plain private key. For example, most of apache servers using plain private key, I guess. so the security of ssl-vpn impl depends on db, rpc trasport, file system security even if we encrypt the private key or not. may be, we have better way, but I think current design isn't so bad to prevent get merged. Best Nachi 2014-04-28 23:02 GMT-07:00 Zang MingJie <zealot0...@gmail.com>: > Hi all: > > Currently I'm working on ssl vpn, based on patchsets by Nachi[1] and Rajesh[2] > > There are secure issues pointed by mark, that ssl private keys are > stored plain in database and in config files of vpn-agents. As > Barbican is incubated, we can store certs and their private keys in > Barbican. But after checking openvpn configurations, I don't think > there is any way to prevent storing private key in openvpn config > files without modify the openvpn implementation. > > I have also made several changes, added a optional port field to > sslvpn-connection table, integrated with service plugin framework > (I'll follow service flavor framework when it is ready), and completed > the neutronclient part. It is already developed in our testing > environment, I'll upload my patch sooner or later. > > [1] https://review.openstack.org/#/c/58897/ > [2] https://review.openstack.org/#/c/70274/ > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
