cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Syed Ahmed <sah...@cloudops.com>
Subject Re: [New Feature FS] SSL Offload Support for Cloudstack
Date Tue, 08 Oct 2013 19:22:14 GMT
Thanks for the feedback guys. Really appreciate it.

1) Changing the name to SSL Termination.

I don't have a problem with that. I was looking at Netscaler all the time
and they call it SSL offloading. But I agree that termination is a more 
general term.
I have changed the name. The new page is at 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support

2) Specify the protocol type.

Currently the protocol type of a loadbalncer gets set by checking the 
source and destination port ( see getNetScalerProtocol() in 
NetscalerResouce.java ) . So, we should change that and add another 
optional field in the createLoadBalancerRule for protocol.

3) Certificate chain as a seperate parameter.

Again, I was looking at Netscaler as an example but separating the chain 
and certificate makes sense. I have updated the document accordingly.

I was assuming that the certificate parsing/validation would be done by 
the device and we would just pass the certficate data as-is. But if we 
are adding chains separately, we should have the ability to parse and 
combine the chain and certificate for some devices as you mentioned.

Thanks
-Syed


On Tue 08 Oct 2013 02:49:52 PM EDT, Chip Childers wrote:
>
> On Tue, Oct 08, 2013 at 11:41:42AM -0700, Darren Shepherd wrote:
>>
>> Technicality here, can we call the functionality SSL termination?
>> While technically we are "offloading" ssl from the VM, offloading
>> typically carries a connotation that its being done in hardware. So
>> we are really talking about SSL termination.
>
>
> +1 - completely agree. There's certainly the possibility of an
> *implementation* being true offloading, but I'd generalize to
> "termination" to account for a non-hardware offload of the crypto
> processing.
>
>>
>>
>> Couple comments. I wouldn't want to assume anything about SSL based
>> on port numbers. So instead specify the protocol (http/https/ssl/tcp)
>> for the front and back side of the load balancer. Additionally, I'd
>> prefer the chain not be in the cert. When configuring some backends
>> you need the cert and chain separate. It would be easier if they were
>> stored that way. Otherwise you have to do logic of parsing all the
>> certs in the "keystore" and look for the one that matches the key.
>
>
> Also +1 to this. Cert chains may be optional, certainly, but should
> actually be separate from the actual cert in the configuration. The
> implementation may need to combine them into one document, but that's
> implementation specific.
>
>>
>>
>> Otherwise, awesome feature. I'll tell you, from an impl perspective,
>> parsing and validating the SSL certs is a pain. I can probably find
>> some java code to help out here on this as I've done this before in
>> the past.
>
>
> Yes, this is a sorely needed feature. I'm happy to see this be added to
> the Netscaler plugin, and await a time when HA proxy has a stable
> release that includes SSL term.
>
>>
>>
>> Darren
>>
>> On Tue, Oct 8, 2013 at 11:14 AM, Syed Ahmed <sahmed@cloudops.com> wrote:
>>>
>>> Hi,
>>>
>>> I have been working on adding SSL offload functionality to 
>>> cloudstack and
>>> make it work for Netscaler. I have an initial design documented at
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+Support
>>> and I would really love your feedback. The bug for this is
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-4821 .
>>>
>>> Thanks,
>>> -Syed
>>>
>>>
>>
>>
>



Mime
View raw message