[Bug 520270] Re: Support SSL for web services
We just tested this against Lucid UEC and yes, in fact, you can edit your eucarc and set EC2_URL=https:// and S3_URL=https://... The places to change this in the code, if we were to default to creating eucarc with https urls are: $ grep -n http ./clc/modules/core/src/main/java/edu/ucsb/eucalyptus/util/EucalyptusProperties.java 219:return String.format( http://%s:8773/services/Eucalyptus;, cloudHost ); 221:return http://127.0.0.1:8773/services/Eucalyptus;; 232:return String.format( http://%s:8773/services/Walrus;, walrusHost == null ? 127.0.0.1 : walrusHost ); That said, being a bit risk-adverse in Lucid right now, I don't think we should make that change for Lucid at this point (due to a complete lack of testing). But we should revisit this with upstream Eucalyptus for 1.7 (Lucid + 1). ** Also affects: eucalyptus (Ubuntu Lucid) Importance: Medium Status: New ** Changed in: eucalyptus (Ubuntu Lucid) Status: New = Won't Fix ** Changed in: eucalyptus (Ubuntu) Status: New = Triaged ** Changed in: eucalyptus (Ubuntu) Status: Triaged = Fix Released -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 520270] Re: Support SSL for web services
Marking fix-released, in that this is now supported in Lucid. If what you want is for us to default eucarc to https, please open a new bug. -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 520270] Re: Support SSL for web services
It might be best to convert this (or file separately) into a feature request for configuring the default HTTP SSL policy when generating the eucarc. I'll leave it up to you to decide. cheers. chris -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 520270] Re: Support SSL for web services
Hmm, from what I read from Chris, this should be fix-released for Lucid, right? Again, Robert, can you take a gander at Lucid? -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 520270] Re: Support SSL for web services
Sorry, I was unclear. My suggestion was to convert this into a bug about being able to configure the default endpoint (HTTP vs HTTPS) which is generated in eucarc. Currently, the eucarc always contains the HTTP url. cheers. chris On Thu, Feb 11, 2010 at 1:02 PM, Dustin Kirkland dustin.kirkl...@gmail.com wrote: Hmm, from what I read from Chris, this should be fix-released for Lucid, right? Again, Robert, can you take a gander at Lucid? -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a bug assignee. Status in Eucalyptus: Invalid Status in “eucalyptus” package in Ubuntu: New Bug description: The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented). While you can't replay or forge requests made over port 80 | 8773, you can sniff and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests. We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate. -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 520270] Re: Support SSL for web services
On Thu, 2010-02-11 at 21:02 +, Dustin Kirkland wrote: Hmm, from what I read from Chris, this should be fix-released for Lucid, right? Again, Robert, can you take a gander at Lucid? If someone can run up a lucid instance over the net I can confirm that ssl works (or not). What would be great though is to do it on port 443; which is what firewalls etc *expect* ssl to be on. Many firewalls block unknown ports, and look for encrypted data to block etc. (Particularly in corporates, which is the target for UEC :)). -Rob -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 520270] Re: Support SSL for web services
Oh, further to my comment; doing SSL on the same port as HTTP is undesirable, unless there is a way to disable HTTP (from outside the cluster, obviously) - otherwise firewalls cannot be trivially configured to permit one and block the other. -Rob -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 520270] Re: Support SSL for web services
The matter of which port the service is running on is (iirc) in the other bug report which has been triaged/wishlisted upstream: https://bugs.launchpad.net/ubuntu/+source/eucalyptus/+bug/520267 thanks. chris On Thu, Feb 11, 2010 at 1:56 PM, Robert Collins robe...@robertcollins.net wrote: Oh, further to my comment; doing SSL on the same port as HTTP is undesirable, unless there is a way to disable HTTP (from outside the cluster, obviously) - otherwise firewalls cannot be trivially configured to permit one and block the other. -Rob -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a bug assignee. Status in Eucalyptus: Invalid Status in “eucalyptus” package in Ubuntu: New Bug description: The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented). While you can't replay or forge requests made over port 80 | 8773, you can sniff and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests. We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate. -- Chris Grzegorczyk Co-Founder and Engineer Eucalyptus Systems, Inc. 130 Castilian St. | Goleta, CA | 93117 Office: 805-968-1400 x e^1 | Cell: 805-807-8237 Email: g...@eucalyptus.com www.eucalyptus.com -- Support SSL for web services https://bugs.launchpad.net/bugs/520270 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
