Neutron/LBaaS/SSL
Contents
Description
Terminating SSL connection on the load balancer and encrypting traffic back to the back end nodes, is a capabilities expected from modern load balancers and incorporated into many applications. This capability enables better certificate management and improved application based load balancing (ex: cookie based persistency, L7 Policies, etc.)
Rationale
Giving user the ability to use SSL on LBaaS.
User should be able to apply SSL certificates on LBaaS and configure SSL on vip, front-end and back-end. Certificates chain should be supported for the Front-End certificate. Trusted certificates should be supported for the Back-End certificate.
API change
No API change
Resources change
LBaaS extension's resource attributes map should be extended with new parameters on the vip object:
Database persistent
* front_end_termination Boolean (default=False) Mandatory Visible * protocols List of comma-separated values from a list of allowed values=SSL3, TLS10, TLS11, default=None Mandatory if termination enabled Visible if termination enabled * cipher_suites: List of coma-separated values from allowed values list in format <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function> Mandatory if termination enabled Visible if termination enabled * back_end_encryption Boolean (default=False) Mandatory Visible * back_end_trusted_certs: List of certificates including name and PEM-formated certificate body for each one NOT Mandatory Visible if encryption enabled
Transient (Not stored in DB)
* passphrase (optional, if private key is encrypted) * public_key (PEM Formatted) * private_key (PEM Formatted) * certificate_chain (List of PEM Formatted public keys)
Data model change
Vip database entity should be extended with new columns:
front_end_termination - Boolean protocols - String (64) cipher_suites: String(512) back_end_encryption - Boolean back_end_trusted_keys: String(256)
DB Migration
Vip table should be altered with new columns.
New columns of each existing Vip row should be populated with default values:
front_end_termination - False protocols - None cipher_suites: None back_end_termination - False back_end_trusted_keys: None
Implementation Plan
- Modifying LBaaS Vip resources' attribute map with new parameters
- Modifying LBaaS Vip DB Model with new parameters
- Modifying LBaaS Vip DB Model tests to account new parameters if needed
- Modifying LBaaS HA-Proxy driver to support SSL
- Update HA-Proxy to version 1.5 {TBD}
Support Matrix
Provider | Protocols | Cipher Suites | FE cert. chain | FE client auth. | BE cert. chain | BE trusted keys | BE client cert. | SNI |
---|---|---|---|---|---|---|---|---|
HAProxy 1.5 | Example | As OpenSSL | Yes | Yes | No | No | No | Yes |
Amazon EC2 | SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 | As OpenSSL | Yes | No | Yes | Yes | No | No |
OpenStack | SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 | As OpenSSL | Yes | Yes | Yes | Yes | Yes | No |