Support SSL for web services
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Eucalyptus |
Invalid
|
Undecided
|
chris grzegorczyk | |
| eucalyptus (Ubuntu) |
Medium
|
Unassigned | ||
| Lucid |
Medium
|
Unassigned |
Bug Description
The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented).
While you can't replay or forge requests made over port 80 | 8773, you can sniff and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests.
We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate.
chris grzegorczyk (chris-grze) wrote : | #1 |
Changed in eucalyptus: | |
status: | New → Invalid |
assignee: | nobody → chris grzegorczyk (chris-grze) |
Scott Moser (smoser) wrote : | #2 |
Given Chris's response, It seems like this is something we should be doing by default. Or at very least documenting.
Changed in eucalyptus (Ubuntu): | |
importance: | Undecided → Medium |
chris grzegorczyk (chris-grze) wrote : | #3 |
It might be best to convert this (or file separately) into a feature request for configuring the default HTTP SSL policy when generating the eucarc. I'll leave it up to you to decide.
cheers.
chris
Hmm, from what I read from Chris, this should be fix-released for Lucid, right?
Again, Robert, can you take a gander at Lucid?
chris grzegorczyk (chris-grze) wrote : | #5 |
Sorry, I was unclear. My suggestion was to convert this into a bug
about being able to configure the default endpoint (HTTP vs HTTPS)
which is generated in eucarc. Currently, the eucarc always contains
the HTTP url.
cheers.
chris
On Thu, Feb 11, 2010 at 1:02 PM, Dustin Kirkland
<email address hidden> wrote:
> Hmm, from what I read from Chris, this should be fix-released for Lucid,
> right?
>
> Again, Robert, can you take a gander at Lucid?
>
> --
> Support SSL for web services
> https:/
> You received this bug notification because you are a bug assignee.
>
> Status in Eucalyptus: Invalid
> Status in “eucalyptus” package in Ubuntu: New
>
> Bug description:
> The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented).
>
> While you can't replay or forge requests made over port 80 | 8773, you can sniff and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests.
>
> We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate.
>
>
>
Robert Collins (lifeless) wrote : | #6 |
On Thu, 2010-02-11 at 21:02 +0000, Dustin Kirkland wrote:
> Hmm, from what I read from Chris, this should be fix-released for Lucid,
> right?
>
> Again, Robert, can you take a gander at Lucid?
If someone can run up a lucid instance over the net I can confirm that
ssl works (or not).
What would be great though is to do it on port 443; which is what
firewalls etc *expect* ssl to be on. Many firewalls block unknown ports,
and look for encrypted data to block etc. (Particularly in corporates,
which is the target for UEC :)).
-Rob
Robert Collins (lifeless) wrote : | #7 |
Oh, further to my comment; doing SSL on the same port as HTTP is
undesirable, unless there is a way to disable HTTP (from outside the
cluster, obviously) - otherwise firewalls cannot be trivially configured
to permit one and block the other.
-Rob
chris grzegorczyk (chris-grze) wrote : | #8 |
The matter of which port the service is running on is (iirc) in the
other bug report which has been triaged/wishlisted upstream:
https:/
thanks.
chris
On Thu, Feb 11, 2010 at 1:56 PM, Robert Collins
<email address hidden> wrote:
> Oh, further to my comment; doing SSL on the same port as HTTP is
> undesirable, unless there is a way to disable HTTP (from outside the
> cluster, obviously) - otherwise firewalls cannot be trivially configured
> to permit one and block the other.
>
> -Rob
>
> --
> Support SSL for web services
> https:/
> You received this bug notification because you are a bug assignee.
>
> Status in Eucalyptus: Invalid
> Status in “eucalyptus” package in Ubuntu: New
>
> Bug description:
> The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented).
>
> While you can't replay or forge requests made over port 80 | 8773, you can sniff and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests.
>
> We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate.
>
>
>
--
Chris Grzegorczyk
Co-Founder and Engineer
Eucalyptus Systems, Inc.
130 Castilian St. | Goleta, CA | 93117
Office: 805-968-1400 x e^1 | Cell: 805-807-8237
Email: <email address hidden>
www.eucalyptus.com
_______
Dustin Kirkland (kirkland) wrote : | #9 |
We just tested this against Lucid UEC and yes, in fact, you can edit your eucarc and set EC2_URL=https://.... and S3_URL=https://...
The places to change this in the code, if we were to default to creating eucarc with https urls are:
$ grep -n http ./clc/modules/
219: return String.format( "http://
221: return "http://
232: return String.format( "http://
That said, being a bit risk-adverse in Lucid right now, I don't think we should make that change for Lucid at this point (due to a complete lack of testing). But we should revisit this with upstream Eucalyptus for 1.7 (Lucid + 1).
Changed in eucalyptus (Ubuntu Lucid): | |
status: | New → Won't Fix |
Changed in eucalyptus (Ubuntu): | |
status: | New → Triaged |
status: | Triaged → Fix Released |
Dustin Kirkland (kirkland) wrote : | #10 |
Marking fix-released, in that this is now supported in Lucid.
If what you want is for us to default eucarc to https, please open a new bug.
Eucalyptus' web services (on port 8773) support SSL connections since r1074.1.2 in the 1.6.2 series. You can simply change the URLs in eucarc to use "https://" and the server will detect and negotiate an SSL session.
cheers.
chris