Hi all. So what is the decision? I see three decisions:
#1 Replace existed plain http to ssl #2 Add additional ports for ssl (save plain http) #3 Do nothing Eldar On Tue, Apr 26, 2011 at 11:27 AM, Dirk-Willem van Gulik <[email protected]> wrote: > > On 25 Apr 2011, at 19:47, Kirill Shileev wrote: > >> Recently, playing with libcloud against a private openstack installation >> we realized that 8773 and 8774 ports listened by openstack-nova-api expect >> plain HTTP. >> This is something that is rarely allowed in production installations. >> ..... >> Other option would be making this configurable, although not sure why and >> where the plain HTTP might be justified. >> >> Any thoughts, comments? > > An important side effect of slapping SSL with client/server certs on pretty > much all connection is that it makes all sort of governance and validation > jobs much easier from an organisational point of view. With more 'reuse' of > existing process and validation. > > The attack footprint/exposed estate now splits in three clean realms: issuing > of client cert, security of the TCP and SSL layer - and a specific model for > what happens within that connection. With the latter bound by the previous > two. Furthermore client validation can be done with narly a secret in sight. > > So for those reasons alone - SSLis good. > > Dw. > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > -- Eldar Skype: eldar.nugaev _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
