varnish with ssl

Poul-Henning Kamp phk at phk.freebsd.dk
Wed Apr 7 23:07:41 CEST 2010


In message <t2id002c4031004071101s8bc80aaeg5665316830381e6d at mail.gmail.com>, Mi
chael Fischer writes:

>What's the incompatibility with OpenSSL?

I have two main reservations about SSL in Varnish:

1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000,
   Adding such a massive amount of code to Varnish footprint, should
   result in a very tangible benefit.

   Compared to running a SSL proxy in front of Varnish, I can see
   very, very little benefit from integration.  Yeah, one process
   less and only one set of config parameters.

   But that all sounds like "second systems syndrome" thinking to me,
   it does not really sound lige a genuine "The world would become
   a better place" feature request.

   But I do see some some serious drawbacks:  The necessary changes
   to Varnish internal logic will almost certainly hurt varnish 
   performance for the plain HTTP case.  We need to add an inordinate
   about of overhead code, to configure and deal with the key/cert
   bits.

2. I have looked at the OpenSSL source code, I think it is a catastrophe
   waiting to happen.  In fact, the only thing that prevents attackers
   from exploiting problems more actively, is that the source code is
   fundamentally unreadable and impenetrable.

Unless those two issues can be addressed, I don't see SSL in Varnish
any time soon.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.




More information about the varnish-misc mailing list