Improvement: Enable secure SSL certificate and hostname verification for internal traffic #11699
Description
The required feature described as a wish
For internal traffic, it is common practice that HTTPS/TLS is used, but:
- the TLS certificates are often self-signed, or issued by an internal CA (not a public one like Let’s Encrypt).
- Sometimes services just use the server’s IP address instead of a DNS name.
Disabling SSL certificate and hostname verification increases compatibility, allowing CloudStack to interoperate with a wide range of hypervisors, networking equipment, and storage devices. This behavior is intentional by design, to ensure broader support across diverse environments. For example,
- Connect to Vmware vCenter
- Connect to Xenserver
- Connect to some external storage or network devices
We could provide more flexibility and also stronger security, including but not limited to
- Allow users to bring their own SSL certificates
- Support host name (DNS) instead of host ip in SSL communication
- Add an option for enforce SSL certificate verification
- Add an option for enforce hostname verification