Support SSL for web services

Eucalyptus' web services (on port 8773) support SSL connections since r1074.1.2 in the 1.6.2 series. You can simply change the URLs in eucarc to use "https://" and the server will detect and negotiate an SSL session.

cheers.
chris

Given Chris's response, It seems like this is something we should be doing by default. Or at very least documenting.

It might be best to convert this (or file separately) into a feature request for configuring the default HTTP SSL policy when generating the eucarc. I'll leave it up to you to decide.

cheers.
chris

Hmm, from what I read from Chris, this should be fix-released for Lucid, right?

Again, Robert, can you take a gander at Lucid?

Sorry, I was unclear. My suggestion was to convert this into a bug
about being able to configure the default endpoint (HTTP vs HTTPS)
which is generated in eucarc. Currently, the eucarc always contains
the HTTP url.

cheers.
chris

On Thu, Feb 11, 2010 at 1:02 PM, Dustin Kirkland
<email address hidden> wrote:
> Hmm, from what I read from Chris, this should be fix-released for Lucid,
> right?
>
> Again, Robert, can you take a gander at Lucid?
>
> --
> Support SSL for web services
> https://bugs.launchpad.net/bugs/520270
> You received this bug notification because you are a bug assignee.
>
> Status in Eucalyptus: Invalid
> Status in “eucalyptus” package in Ubuntu: New
>
> Bug description:
> The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented).
>
> While you can't replay or forge requests made over port 80 | 8773, you can sniff  and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests.
>
> We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate.
>
>
>

On Thu, 2010-02-11 at 21:02 +0000, Dustin Kirkland wrote:
> Hmm, from what I read from Chris, this should be fix-released for Lucid,
> right?
>
> Again, Robert, can you take a gander at Lucid?

If someone can run up a lucid instance over the net I can confirm that
ssl works (or not).

What would be great though is to do it on port 443; which is what
firewalls etc *expect* ssl to be on. Many firewalls block unknown ports,
and look for encrypted data to block etc. (Particularly in corporates,
which is the target for UEC :)).

-Rob

Oh, further to my comment; doing SSL on the same port as HTTP is
undesirable, unless there is a way to disable HTTP (from outside the
cluster, obviously) - otherwise firewalls cannot be trivially configured
to permit one and block the other.

-Rob

The matter of which port the service is running on is (iirc) in the
other bug report which has been triaged/wishlisted upstream:
https://bugs.launchpad.net/ubuntu/+source/eucalyptus/+bug/520267

thanks.
chris

On Thu, Feb 11, 2010 at 1:56 PM, Robert Collins
<email address hidden> wrote:
> Oh, further to my comment; doing SSL on the same port as HTTP is
> undesirable, unless there is a way to disable HTTP (from outside the
> cluster, obviously) - otherwise firewalls cannot be trivially configured
> to permit one and block the other.
>
> -Rob
>
> --
> Support SSL for web services
> https://bugs.launchpad.net/bugs/520270
> You received this bug notification because you are a bug assignee.
>
> Status in Eucalyptus: Invalid
> Status in “eucalyptus” package in Ubuntu: New
>
> Bug description:
> The 8443 admin web page has an SSL certificate, but there doesn't seem to be a SSL web services port (or if it is in fact 8443, then that isn't documented).
>
> While you can't replay or forge requests made over port 80 | 8773, you can sniff  and observe them, and some organisations and software refuse to do non-SSL web service requests. Landscape, for instance, requires users of UEC to setup a tunnel so that it is not making cleartext requests.
>
> We should ship SSL by default, with a just-in-time self signed cert, and clear instructions for upgrading to a publically issued certificate.
>
>
>

--
Chris Grzegorczyk
Co-Founder and Engineer
Eucalyptus Systems, Inc.

130 Castilian St. | Goleta, CA | 93117
Office: 805-968-1400 x e^1 | Cell: 805-807-8237
Email: <email address hidden>
www.eucalyptus.com
________________________________________

We just tested this against Lucid UEC and yes, in fact, you can edit your eucarc and set EC2_URL=https://.... and S3_URL=https://...

The places to change this in the code, if we were to default to creating eucarc with https urls are:
$ grep -n http ./clc/modules/core/src/main/java/edu/ucsb/eucalyptus/util/EucalyptusProperties.java
219: return String.format( "http://%s:8773/services/Eucalyptus", cloudHost );
221: return "http://127.0.0.1:8773/services/Eucalyptus";
232: return String.format( "http://%s:8773/services/Walrus", walrusHost == null ? "127.0.0.1" : walrusHost );

That said, being a bit risk-adverse in Lucid right now, I don't think we should make that change for Lucid at this point (due to a complete lack of testing). But we should revisit this with upstream Eucalyptus for 1.7 (Lucid + 1).

Marking fix-released, in that this is now supported in Lucid.

If what you want is for us to default eucarc to https, please open a new bug.