From 7084fa286e4fd52898ce95c860c3a8ebe87db46d Mon Sep 17 00:00:00 2001 From: Stuart McLaren Date: Tue, 2 Jun 2015 16:47:38 +0000 Subject: [PATCH] Remove custom glance client SSL handling Deprecate special httplib code paths. Blueprint: https://blueprints.launchpad.net/python-glanceclient/+spec/remove-custom-client-ssl-handling Change-Id: I5d192cc8c192b87d1e668041e97de5e0afe25394 --- .../remove-special-client-ssl-handling.rst | 196 ++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 specs/liberty/remove-special-client-ssl-handling.rst diff --git a/specs/liberty/remove-special-client-ssl-handling.rst b/specs/liberty/remove-special-client-ssl-handling.rst new file mode 100644 index 00000000..45991770 --- /dev/null +++ b/specs/liberty/remove-special-client-ssl-handling.rst @@ -0,0 +1,196 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +================================= +Remove custom client SSL handling +================================= + +https://blueprints.launchpad.net/python-glanceclient/+spec/remove-custom-client-ssl-handling + +The Glance client currently supports disabling SSL compression via +the --no-ssl-compression argument. This spec proposes deprecating this +special handling of SSL. + +Note: This is transport layer compression, not application layer (http) +compression. + + +Problem description +=================== + +Custom SSL handling was introduced because disabling SSL layer compression +provided an approximately five fold performance increase in some +cases. Without SSL layer compression disabled the image transfer would be +CPU bound -- with the CPU performing the DEFLATE algorithm. This would +typically limit image transfers to < 20 MB/s. When --no-ssl-compression +was specified the client would not negotiate any compression algorithm +during the SSL handshake with the server which would remove the CPU +bottleneck and transfers could approach wire speed. + +In order to support '--no-ssl-compression' two totally separate code +paths exist depending on whether this is True or False. When SSL +compression is disabled, rather than using the standard 'requests' +library, we enter some custom code based on pyopenssl and httplib in +order to disable compression. + +This spec proposes removing the custom code because: + +* It is a burden to maintain + + Eg adding new code such as keystone session support is more complicated + +* It can introduce additional failure modes + + We have seen some bugs related to the 'custom' certificate checking + +* Newer Operating Systems disable SSL for us. + + Eg. While Debian 7 defaulted to compression 'on', Debian 8 has compression + 'off'. This makes both servers and client less likely to have compression + enabled. + +* Newer combinations of 'requests' and 'python' do this for us + + Requests disables compression when backed by a version of python which + supports it (>= 2.7.9). This makes clients more likely to disable + compression out-of-the-box. + +* It is (in principle) possible to do this on older versions too + + If pyopenssl, ndg-httpsclient and pyasn1 are installed on older + operating system/python combinations, the requests library should + disable SSL compression on the client side. + + +Proposed change +=============== + +Deprecate the '--no-ssl-compression' option. Remove the custom http +handling code and print a warning when '--no-ssl-compression' is +specified. + + +Alternatives +------------ + +* Do not deprecate + +The cost/benefit of not deprecating would mean that custom code paths +would have to be maintained for a small number of corner cases (that +can be addressed by other means). + +* Add dependencies on ndg-httpsclient and pyasn1. + +This is a possibility for legacy installations, but this should not +be needed for the vast majority of cases. + + +Data model impact +----------------- + +None + + +REST API impact +--------------- + +None + + +Security impact +--------------- + +Certificate checking will no longer be done by custom glance client code, +but by the 'requests' library. I verified that for older python installs +(2.7) certificate checking is performed correctly by the requests library. + +Systems that have SSL compression enabled may be vulnerable to the CRIME +(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929) attack. +Installations which are security conscious should be running the Glance +server with SSL disabled. + + +Notifications impact +-------------------- + +None + + +Other end user impact +--------------------- + +SSL potentially not being disabled. +A new deprecation warning. + + +Performance Impact +------------------ + +If SSL is not disabled user's will experience a performance hit -- until +they use one of the alternative methods to disable it. + + +Other deployer impact +--------------------- + +Deprecation warnings. +Will need to use an alternative method to disable SSL if appropriate. + + +Developer impact +---------------- + +Should simplify things. + + +Implementation +============== + +Assignee(s) +----------- + +Stuart McLaren + + +Reviewers +--------- + +Ian Cordasco + + +Work Items +---------- + +* Client change +* (small) nova/cinder changes + +Dependencies +============ + +None + + +Testing +======= + +There is limited https testing in the gate by default. +Some manual functional testing will be done, and devstack will be +spun up with https enabled. + + +Documentation Impact +==================== + +The cli help will be updated. Any relevant .rst docs will be updated also. + + +References +========== + +Previous effort: + +https://review.openstack.org/#/c/23424 +