Re: https servers acceleration

From: Q <q@dont-contact.us>
Date: Fri, 30 Oct 1998 11:45:23 +1000 (EST)

On Thu, 29 Oct 1998, Alvin Starr wrote:

> > You can't. SSL is designed to prevent "man in the middle" intervention.
> > SSL requires that a session key exchange occure before the request can be
> > made. Using SSL also adds an overhead to transmission time due to the need
> > for de/encrypting the communication. Even if it were possible, you would
> > probably notice very little improvement in performance.
> >
> > The best way to improve performance is to only put the form/data that
> > needs to be encrypted on the secured site (and any accompanying cgi
> > actions). The rest of the site can go on regular accelerated server.
>
> one possible solution(this is a bit of blue sky thinking here) would be
> to have a front end that would handle the SSL link and then have squid
> handle the un-encripted requests. Another possibility would be to graft
> the apache SSL code into squid. Neither of these 2 choices are easy to
> implement and would require some coding effort.

Actually adding ssl connection support to squid probably wouldn't be that
hard. SSLeay contains virtually everything you would need and supports the
use of non-blocking io. But it gets a bit ugly because squid has to have
the signed certificate and the private key (and associated pass phrase) of
the accelerated web servers/s in a format that it understands (SSLeay PEM
format). Which means those people with Netscape or Microsoft certificates
have to mess around with converting them (which is possible to a point I
believe).

I can think of one really got reason to do this however. People who don't
have access to full strength (128bit) versions of SSL web servers, or have
web servers that don't handle SSL well, could use Squid to provide a
128bit SSL frontend. If the connection between squid and the accelerated
web server is considered secure (same machine/switch, etc.) then there is
no need for the web server being accelerated to even run SSL. Squid could
even be used as an entry point to a farm of transaction processing
machines without having the key regeneration issues associated with using
multiple servers.

Seeya...Q

               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                        
                          _____ / Quinton Dolan - q@fan.net.au
  __ __/ / / __/ / / Systems Administrator
     / __ / _/ / / Fast Access Network
  __/ __/ __/ ____/ / - / Gold Coast, QLD, Australia
                    _______ / Ph: +61 7 5574 1050
                           \_\ SAGE-AU Member
Received on Thu Oct 29 1998 - 18:30:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:51 MST