varnish with ssl
schmidt at ze.tum.de
Thu Apr 15 13:41:27 CEST 2010
Poul-Henning Kamp schrieb:
> In message <t2id002c4031004071101s8bc80aaeg5665316830381e6d at mail.gmail.com>, Mi
> chael Fischer writes:
>> What's the incompatibility with OpenSSL?
> I have two main reservations about SSL in Varnish:
> 1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000,
> Adding such a massive amount of code to Varnish footprint, should
> result in a very tangible benefit.
> Compared to running a SSL proxy in front of Varnish, I can see
> very, very little benefit from integration. Yeah, one process
> less and only one set of config parameters.
> But that all sounds like "second systems syndrome" thinking to me,
> it does not really sound lige a genuine "The world would become
> a better place" feature request.
> But I do see some some serious drawbacks: The necessary changes
> to Varnish internal logic will almost certainly hurt varnish
> performance for the plain HTTP case. We need to add an inordinate
> about of overhead code, to configure and deal with the key/cert
> 2. I have looked at the OpenSSL source code, I think it is a catastrophe
> waiting to happen. In fact, the only thing that prevents attackers
> from exploiting problems more actively, is that the source code is
> fundamentally unreadable and impenetrable.
> Unless those two issues can be addressed, I don't see SSL in Varnish
> any time soon.
I don't see your Problem with that.
1. You should not include OpenSSL in varnish. Varnish should use OpenSSL.
2. There are other SSL Libraries maybe other are better suited.
3. I should be off by default and enabled by need. So it's the decision of the
Admin if he uses SSL and his risk.
But I really think https is a major show stopper for the use of Varnish.
Gerhard Schmidt | E-Mail: schmidt at ze.tum.de
WWW & Online Services |
Tel: 089/289-25270 |
Fax: 089/289-25257 | PGP-Publickey auf Anfrage
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 543 bytes
Desc: OpenPGP digital signature
More information about the varnish-misc