varnish with ssl

Gerhard Schmidt schmidt at ze.tum.de
Thu Apr 15 13:41:27 CEST 2010 

Poul-Henning Kamp schrieb:
> In message <t2id002c4031004071101s8bc80aaeg5665316830381e6d at mail.gmail.com>, Mi
> chael Fischer writes:
> 
>> What's the incompatibility with OpenSSL?
> 
> I have two main reservations about SSL in Varnish:
> 
> 1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000,
>    Adding such a massive amount of code to Varnish footprint, should
>    result in a very tangible benefit.
> 
>    Compared to running a SSL proxy in front of Varnish, I can see
>    very, very little benefit from integration.  Yeah, one process
>    less and only one set of config parameters.
> 
>    But that all sounds like "second systems syndrome" thinking to me,
>    it does not really sound lige a genuine "The world would become
>    a better place" feature request.
> 
>    But I do see some some serious drawbacks:  The necessary changes
>    to Varnish internal logic will almost certainly hurt varnish 
>    performance for the plain HTTP case.  We need to add an inordinate
>    about of overhead code, to configure and deal with the key/cert
>    bits.
> 
> 2. I have looked at the OpenSSL source code, I think it is a catastrophe
>    waiting to happen.  In fact, the only thing that prevents attackers
>    from exploiting problems more actively, is that the source code is
>    fundamentally unreadable and impenetrable.
> 
> Unless those two issues can be addressed, I don't see SSL in Varnish
> any time soon.
> 
I don't see your Problem with that.

1. You should not include OpenSSL in varnish. Varnish should use OpenSSL.
2. There are other SSL Libraries maybe other are better suited.
3. I should be off by default and enabled by need. So it's the decision of the
Admin if he uses SSL and his risk.

But I really think https is a major show stopper for the use of Varnish.

Regards
   Estartu

-- 
-------------------------------------------------
Gerhard Schmidt       | E-Mail: schmidt at ze.tum.de
TU-München	      |
WWW & Online Services |
Tel: 089/289-25270    |
Fax: 089/289-25257    | PGP-Publickey auf Anfrage


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 543 bytes
Desc: OpenPGP digital signature
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20100415/409124b4/attachment-0003.pgp>

More information about the varnish-misc mailing list