varnish with ssl

[Michael Fischer]

On Wed, Apr 7, 2010 at 2:07 PM, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
> In message <t2id002c4031004071101s8bc80aaeg5665316830381e6d at mail.gmail.com>, Mi
> chael Fischer writes:
>
>>What's the incompatibility with OpenSSL?
>
> I have two main reservations about SSL in Varnish:
>
> 1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000,
>   Adding such a massive amount of code to Varnish footprint, should
>   result in a very tangible benefit.

RAM is cheap.  Besides, as a shared library the cost is amortized
among all processes using it.
>
>   Compared to running a SSL proxy in front of Varnish, I can see
>   very, very little benefit from integration.  Yeah, one process
>   less and only one set of config parameters.
>
>   But that all sounds like "second systems syndrome" thinking to me,
>   it does not really sound lige a genuine "The world would become
>   a better place" feature request.

Well, there are a couple of benefits:

(1) stunnel doesn't scale particularly well, and can't scale across
multiple CPUs in any event;
(2) As someone else pointed out, Varnish can only do effective logging
of and access control pertaining to the peer IP if the SSL negotiation
is done in-process.  stunnel won't spoof the peer IP for Varnish (and
arguably no secure kernel should allow it to).

>   But I do see some some serious drawbacks:  The necessary changes
>   to Varnish internal logic will almost certainly hurt varnish
>   performance for the plain HTTP case.  We need to add an inordinate
>   about of overhead code, to configure and deal with the key/cert
>   bits.

I defer to your judgment on that issue.

> 2. I have looked at the OpenSSL source code, I think it is a catastrophe
>   waiting to happen.  In fact, the only thing that prevents attackers
>   from exploiting problems more actively, is that the source code is
>   fundamentally unreadable and impenetrable.

Is GNU TLS any better? I've not used it.

--Michael