One of the issues that’s coming up more and more lately is wanting to use the Provider’s hostname to build connections instead of the IP address.
Why is this important? Specifically for Openstack (but, I suspect over time, this is going to affect all providers), there’s a strong desire to secure the AMQP server communication with SSL. It’s standard practice to build SSL certificates with Hostnames as the CN instead of the IP address. However, if the SSL cert is built with the Hostname, and we connect to the Provider using the IP address, the SSL cert is rejected because the URL and the CN don’t match. Apparently, the name matching is done before DN resolution.
In addition to just AMQP over SSL, several people have asked about the general Openstack API over SSL. This would also be impacted by our requirement to connect via IP Address.
So, I’d like this to serve as the one place I can point people who ask: Why can’t I do this?