TLS Terminated Etcd (If you use etcd this affects you)
Casey Marshall
casey.marshall at canonical.com
Wed Jun 15 09:08:54 UTC 2016
On Wed, Jun 15, 2016 at 11:52 AM, Jay Wren <jay.wren at canonical.com> wrote:
> On Tue, Jun 14, 2016 at 5:50 PM, Charles Butler <
> charles.butler at canonical.com> wrote:
>
>> - There is currently no way to disable TLS wrapped endpoints on Etcd (we
>> want to keep our coordination data secure don't we?)
>>
>>
> For our use case, we consider the overhead of establishing a new TLS
> connection for every read or write to be heavier weight than we wish for
> our etcd clients. We trust the network on which we run and we aren't
> getting and setting any sensitive data.
>
> I value speed. I would continue to use a previous version of the charm.
>
Etcd really doesn't handle a high volume of writes anyway though. The
overhead of a TLS handshake can be minimal, it just depends on the
algorithm & key lengths used. This should be configurable in the layer, I
think. EC and 2048-bit RSA have reasonable handshake times.
4096-bit RSA for TLS server keys is really slow though, I've seen
handshakes on the order of seconds when benchmarking.
> --
> Jay
>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160615/79903bb1/attachment.html>
More information about the Juju
mailing list