I have a situation where the data is public, yet I want to protect the user logins/accounts/sessions and their update/delete privileges. My choices are: 1) not encrypt anything for highest performance. problem is passwords are sent plain text. 2) Force the client to use *lowest possible encryption* for the highest possible performance. 3) Some bastardized solution with does login with SSL and redirects or rewrites subsequent urls as non SSL. Problem is the warning message that netscape pops up. A) what are the mod_ssl settings that *force* the lowest level/highest performance encryption? My poor guess: SLCipherSuite ALL:!ADH:RC4+RSA:-HIGH:-MEDIUM:+LOW:+SSLv2:+EXP B) Does anyone have any tests/rough idea/experience what kind of additional load SSL adds to an http request compared to non-SSL? i.e. 'on machine X http handled 100 concurrent connections while https could only handle 50 connections'. Platform: RH 6.0 latest US mod_ssl (rsa) and apache 1.3.9. I am not using web server authentication (login), my app handles it and uses cookies. Thanks, Joe Junkin [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
