cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Syed Ahmed <>
Subject Re: [New Feature FS] SSL Offload Support for Cloudstack
Date Tue, 08 Oct 2013 19:22:14 GMT
Thanks for the feedback guys. Really appreciate it.

1) Changing the name to SSL Termination.

I don't have a problem with that. I was looking at Netscaler all the time
and they call it SSL offloading. But I agree that termination is a more 
general term.
I have changed the name. The new page is at

2) Specify the protocol type.

Currently the protocol type of a loadbalncer gets set by checking the 
source and destination port ( see getNetScalerProtocol() in ) . So, we should change that and add another 
optional field in the createLoadBalancerRule for protocol.

3) Certificate chain as a seperate parameter.

Again, I was looking at Netscaler as an example but separating the chain 
and certificate makes sense. I have updated the document accordingly.

I was assuming that the certificate parsing/validation would be done by 
the device and we would just pass the certficate data as-is. But if we 
are adding chains separately, we should have the ability to parse and 
combine the chain and certificate for some devices as you mentioned.


On Tue 08 Oct 2013 02:49:52 PM EDT, Chip Childers wrote:
> On Tue, Oct 08, 2013 at 11:41:42AM -0700, Darren Shepherd wrote:
>> Technicality here, can we call the functionality SSL termination?
>> While technically we are "offloading" ssl from the VM, offloading
>> typically carries a connotation that its being done in hardware. So
>> we are really talking about SSL termination.
> +1 - completely agree. There's certainly the possibility of an
> *implementation* being true offloading, but I'd generalize to
> "termination" to account for a non-hardware offload of the crypto
> processing.
>> Couple comments. I wouldn't want to assume anything about SSL based
>> on port numbers. So instead specify the protocol (http/https/ssl/tcp)
>> for the front and back side of the load balancer. Additionally, I'd
>> prefer the chain not be in the cert. When configuring some backends
>> you need the cert and chain separate. It would be easier if they were
>> stored that way. Otherwise you have to do logic of parsing all the
>> certs in the "keystore" and look for the one that matches the key.
> Also +1 to this. Cert chains may be optional, certainly, but should
> actually be separate from the actual cert in the configuration. The
> implementation may need to combine them into one document, but that's
> implementation specific.
>> Otherwise, awesome feature. I'll tell you, from an impl perspective,
>> parsing and validating the SSL certs is a pain. I can probably find
>> some java code to help out here on this as I've done this before in
>> the past.
> Yes, this is a sorely needed feature. I'm happy to see this be added to
> the Netscaler plugin, and await a time when HA proxy has a stable
> release that includes SSL term.
>> Darren
>> On Tue, Oct 8, 2013 at 11:14 AM, Syed Ahmed <> wrote:
>>> Hi,
>>> I have been working on adding SSL offload functionality to 
>>> cloudstack and
>>> make it work for Netscaler. I have an initial design documented at
>>> and I would really love your feedback. The bug for this is
>>> .
>>> Thanks,
>>> -Syed

View raw message