SSL mode with combined cert/keys not supported

Bug #1303312 reported by Kevin Benton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Medium
Kevin Benton

Bug Description

When Neutron WSGI is running in SSL mode, it requires a separate cert file and key file. However, there are cases where these may be combined into one file and neutron currently does not support this mode of operation even though the underlying SSL library does[1].

1. https://docs.python.org/2/library/ssl.html#ssl.wrap_socket

Changed in neutron:
assignee: nobody → Kevin Benton (kevinbenton)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/85585

Changed in neutron:
status: New → In Progress
Revision history for this message
Carl Baldwin (carl-baldwin) wrote :

I often specify the same file for both options when I want to use a single file for both key and cert in the context of other services such as Apache and OpenVPN. Is it certain that that doesn't work with Neutron?

Revision history for this message
Kevin Benton (kevinbenton) wrote :

I just tested it and it appears that it does work that way. However, even though you are used to the workflow of repeatedly specifying the same file, I prefer the workflow of specifying once with a combined cert. I feel like it leaves less room for errors and confusion.

For example, what happens when a new cert is installed and the admin forgets to update both so now they point to different files containing different pairs? Does it use the set in ssl_key_file or the one in ssl_cert_file?

Changed in neutron:
importance: Undecided → Medium
milestone: none → juno-1
tags: added: neutron-core
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/85585
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7f9c6259923747f0629166dc85561b0ab231ff70
Submitter: Jenkins
Branch: master

commit 7f9c6259923747f0629166dc85561b0ab231ff70
Author: Kevin Benton <email address hidden>
Date: Sun Apr 6 11:08:25 2014 +0000

    Allow combined certificate/key files for SSL

    Allows the ssl_key_file parameter to be excluded
    during SSL operation to support combined certificate/key files.

    Closes-Bug: #1303312
    Change-Id: Ied5c7a7657e0e26eda31305fc96104c6593e9593

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers