Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C5E2010307 for ; Fri, 7 Mar 2014 01:21:47 +0000 (UTC) Received: (qmail 67141 invoked by uid 500); 7 Mar 2014 01:21:46 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 67099 invoked by uid 500); 7 Mar 2014 01:21:46 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 67091 invoked by uid 99); 7 Mar 2014 01:21:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Mar 2014 01:21:46 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: unknown mxmx:stratosec-co.mail.eo.outlook.comip4:184.172.14.119~all (athena.apache.org: encountered unrecognized mechanism during SPF processing of domain of jlk@stratosec.co) Received: from [207.46.163.239] (HELO na01-by2-obe.outbound.protection.outlook.com) (207.46.163.239) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Mar 2014 01:21:42 +0000 Received: from BLUPR05MB120.namprd05.prod.outlook.com (10.255.214.28) by BLUPR05MB216.namprd05.prod.outlook.com (10.255.191.13) with Microsoft SMTP Server (TLS) id 15.0.893.10; Fri, 7 Mar 2014 01:21:20 +0000 Received: from BLUPR05MB120.namprd05.prod.outlook.com ([169.254.12.61]) by BLUPR05MB120.namprd05.prod.outlook.com ([169.254.12.61]) with mapi id 15.00.0893.001; Fri, 7 Mar 2014 01:21:19 +0000 From: John Kinsella To: "dev@cloudstack.apache.org" Subject: Re: [DISCUSS] realhostip.com going away Thread-Topic: [DISCUSS] realhostip.com going away Thread-Index: AQHPNMN3uguug/3uzkiri3l2VtFEM5rLOG2AgAARIICAArCucIAG25MAgAAHvwA= Date: Fri, 7 Mar 2014 01:21:18 +0000 Message-ID: <07F2BEBB-1560-434D-9837-D79D7CCCC4BC@stratosec.co> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2604:5500:1e:f:e50f:3794:b1bb:fa7a] x-forefront-prvs: 014304E855 x-forefront-antispam-report: SFV:NSPM;SFS:(10019001)(6009001)(428001)(199002)(189002)(377454003)(479174003)(51704005)(13464003)(13734003)(24454002)(36756003)(90146001)(56816005)(83072002)(85852003)(51856001)(86362001)(46102001)(93516002)(53806001)(97336001)(97186001)(95666003)(80022001)(65816001)(33656001)(79102001)(77982001)(63696002)(81342001)(74706001)(59766001)(77096001)(83716003)(81542001)(81686001)(47736001)(50986001)(47976001)(93136001)(74502001)(92726001)(74876001)(87266001)(15975445006)(82746002)(69226001)(83322001)(19580395003)(19580405001)(49866001)(81816001)(2656002)(80976001)(87936001)(54356001)(56776001)(76482001)(94316002)(92566001)(74482001)(47446002)(31966008)(95416001)(54316002)(74662001)(74366001)(15395725003)(85306002)(94946001)(4396001)(76786001)(76796001)(42262001)(3826001);DIR:OUT;SFP:1102;SCL:1;SRVR:BLUPR05MB216;H:BLUPR05MB120.namprd05.prod.outlook.com;CLIP:2604:5500:1e:f:e50f:3794:b1bb:fa7a;FPR:344CF2A5.A7365711.9DF11D7F.42E758FD.20576;PTR:InfoNoRecords;A:1;MX:1;LANG:en; received-spf: None (: stratosec.co does not designate permitted sender hosts) Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: stratosec.co X-Virus-Checked: Checked by ClamAV on apache.org So - I=92ve browsed around a little after pondering the idea of doing crypt= o at the JS level, but I can=92t seem to make the argument and keep a strai= ght face. I did find a JS library [1] that would probably work, but still y= ou=92re left with 2 issues: 1) gotta get the library securely to the browse= r (proper running SSL on the management server), and 2) You=92d still need = a CA to sign the certs that run on the console proxy/SSVM [2].=20 So, nix that. It seems like the best way to do this is have security off by= default, make sure that=92s very obvious to new users, and have a guide on= how to get things production-ready. Anyways - we almost have the patch ready, Amogh and I have gone back/forth = on the review once or twice, once we get I think just one more issue straig= htened out we=92re good. John 1: https://github.com/digitalbazaar/forge 2: Ya know=85we could run a CA on the management server=85. On Mar 6, 2014, at 4:53 PM, Kelven Yang wrote: >=20 >=20 > On 3/2/14, 8:15 AM, "Paul Angus" wrote: >=20 >> There are a few issues with the current console proxy setup, not least o= f >> which is the need to have internet access to resolve realhostip.com in >> the first place - so console proxy can't work if you don't have internet >> access on your client. I have configured alternative realhostip.com >> setups for clients - and quite a lot of work goes into creating the >> infrastructure (and certs) to support changing to a user managed >> certificate. >>=20 >> Sooo, is it at all possible to secure communications with the console >> proxy, without having to rely on ANY outside entity? >=20 >=20 > console proxy client is based on AJAX channel provided by browser via > Javascript engine, which leaves the security option to be pretty much on > HTTPS, and it requires a server certificate to start with. So we don=B9t > have many choices here. >=20 > -Kelven >=20 >=20 >>=20 >> Testing alone is going to be a pain, if a full ssl cert setup is require= d >> to use console proxy.. >>=20 >> Regards >>=20 >> Paul Angus >> Cloud Architect >> S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus >> paul.angus@shapeblue.com >>=20 >> -----Original Message----- >> From: Amogh Vasekar [mailto:amogh.vasekar@citrix.com] >> Sent: 28 February 2014 23:05 >> To: dev@cloudstack.apache.org >> Subject: Re: [DISCUSS] realhostip.com going away >>=20 >>=20 >>=20 >> On 2/28/14 2:03 PM, "Nux!" wrote: >>=20 >>> There's also the problem of the certificate. It comes bundled in ACS as >>> far as I can tell.. When does it expire? >>=20 >> notBefore=3DFeb 3 03:30:40 2012 GMT >> notAfter=3DFeb 7 05:11:23 2017 GMT >>=20 >> Need Enterprise Grade Support for Apache CloudStack? >> Our CloudStack Infrastructure >> Support offers >> the best 24/7 SLA for CloudStack Environments. >>=20 >> Apache CloudStack Bootcamp training courses >>=20 >> **NEW!** CloudStack 4.2.1 >> training >> 18th-19th February 2014, Brazil. >> Classroom >> 17th-23rd March 2014, Region A. Instructor led, >> On-line >> 24th-28th March 2014, Region B. Instructor led, >> On-line >> 16th-20th June 2014, Region A. Instructor led, >> On-line >> 23rd-27th June 2014, Region B. Instructor led, >> On-line >>=20 >> This email and any attachments to it may be confidential and are intende= d >> solely for the use of the individual to whom it is addressed. Any views >> or opinions expressed are solely those of the author and do not >> necessarily represent those of Shape Blue Ltd or related companies. If >> you are not the intended recipient of this email, you must neither take >> any action based upon its contents, nor copy or show it to anyone. Pleas= e >> contact the sender if you believe you have received this email in error. >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >> Services India LLP is a company incorporated in India and is operated >> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is >> a company incorporated in Brasil and is operated under license from Shap= e >> Blue Ltd. ShapeBlue is a registered trademark. >=20 Stratosec - Compliance as a Service o: 415.315.9385 @johnlkinsella