Re: [New Feature FS] SSL Offload Support for Cloudstack

[Syed Ahmed]

A question about implementation. I was looking at other commands and 
the execute() method for each of the other commands seem to call a 
service ( _lbservice for example ) which takes care of updating the DB 
and calling the resource layer. Should the Certificate management be 
implemented as a service or is there something else that I can use? An 
example would be immensely helpful.

Thanks
-Syed

On Tue 08 Oct 2013 03:22:14 PM EDT, Syed Ahmed wrote:
Thanks for the feedback guys. Really appreciate it.

1) Changing the name to SSL Termination.

I don't have a problem with that. I was looking at Netscaler all the time
and they call it SSL offloading. But I agree that termination is a
more general term.
I have changed the name. The new page is at
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support


2) Specify the protocol type.

Currently the protocol type of a loadbalncer gets set by checking the
source and destination port ( see getNetScalerProtocol() in
NetscalerResouce.java ) . So, we should change that and add another
optional field in the createLoadBalancerRule for protocol.

3) Certificate chain as a seperate parameter.

Again, I was looking at Netscaler as an example but separating the
chain and certificate makes sense. I have updated the document
accordingly.

I was assuming that the certificate parsing/validation would be done
by the device and we would just pass the certficate data as-is. But if
we are adding chains separately, we should have the ability to parse
and combine the chain and certificate for some devices as you mentioned.

Thanks
-Syed


On Tue 08 Oct 2013 02:49:52 PM EDT, Chip Childers wrote:

On Tue, Oct 08, 2013 at 11:41:42AM -0700, Darren Shepherd wrote:

Technicality here, can we call the functionality SSL termination?
While technically we are "offloading" ssl from the VM, offloading
typically carries a connotation that its being done in hardware. So
we are really talking about SSL termination.


+1 - completely agree. There's certainly the possibility of an
*implementation* being true offloading, but I'd generalize to
"termination" to account for a non-hardware offload of the crypto
processing.



Couple comments. I wouldn't want to assume anything about SSL based
on port numbers. So instead specify the protocol (http/https/ssl/tcp)
for the front and back side of the load balancer. Additionally, I'd
prefer the chain not be in the cert. When configuring some backends
you need the cert and chain separate. It would be easier if they were
stored that way. Otherwise you have to do logic of parsing all the
certs in the "keystore" and look for the one that matches the key.


Also +1 to this. Cert chains may be optional, certainly, but should
actually be separate from the actual cert in the configuration. The
implementation may need to combine them into one document, but that's
implementation specific.



Otherwise, awesome feature. I'll tell you, from an impl perspective,
parsing and validating the SSL certs is a pain. I can probably find
some java code to help out here on this as I've done this before in
the past.


Yes, this is a sorely needed feature. I'm happy to see this be added to
the Netscaler plugin, and await a time when HA proxy has a stable
release that includes SSL term.



Darren

On Tue, Oct 8, 2013 at 11:14 AM, Syed Ahmed <sah...@cloudops.com>
wrote:

Hi,

I have been working on adding SSL offload functionality to
cloudstack and
make it work for Netscaler. I have an initial design documented at
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+Support

and I would really love your feedback. The bug for this is
https://issues.apache.org/jira/browse/CLOUDSTACK-4821 .

Thanks,
-Syed