Implement TLS mutual authentication to improve security

Registered by Adam Heczko

Currently Fuel for accessing API endpoints implements basic authentication: requires to use appropriate user and password.
Since python OpenStack clients implements TLS mutual authentication, it is highly desirable to add additional layer of security and require both communication endpoints to mutually authenticate each other.

Note that it greatly improves OpenStack security and partially implements 'multi factor' requirement, as it enables to use: username, password along with TLS certificate to successfully connect to API endpoint.

TLS mutual authentication also reduces potential for DOS attack impact, since all connections not supplying appropriate TLS certificates gets dropped immadiatelly by HAProxy.

References:
http://blog.haproxy.com/2012/10/03/ssl-client-certificate-management-at-application-level/
http://security.stackexchange.com/questions/79714/haproxy-with-client-certificate-authentication-signed-by-common-ca
https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html
http://www.cafesoft.com/products/cams/ps/docs32/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Adam Heczko
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.