Quoting [EMAIL PROTECTED]:
> The answer to your questions depends very much on what you wish to protect.
> If you are only interested in protecting the user's login details, then you
> could use SSL for just that (Yahoo! mail does something like this when you
> request "secure" login"). Obviously, if you want to protect all data,
> you'll
> be using SSL throughout. The exact method you use for login doesn't really
> matter, since everything transmitted over SSL should be secure.
>
> You are indeed correct that the initial key exchange, otherwise known as
> the
> SSL session setup, takes a lot of processing. However, because Internet
> Explorer (known privately to most people on this list as
> aaaaaaaaaaaeeeeeeeeeeeeeeeeee!) doesn't handle keep-alives over SSL
> properly, it is necessary to force the browser to renegotiate for every
> document or image that uses SSL. I have SSL logs full of IE renegotiates,
> and often have a server that is running slowly. So if your site has a lot
> of
> SSL traffic and you are allowing IE users to connect, you have a couple of
> options.
>
> 1. Get Microsoft to fix IE to work properly with SSL. My guess is that
> they'll have to fix IIS as well.
> 2. Invest in some kind of SSL acceleration. There are some details about
> this at http://www.kegel.com/ssl/. I would personally like to try out the
> Rainbow Cryptoswift card. If I ever do I'll be keeping this list informed
> of
> my success or failure with it.
>
> I think you'll have more success with the second one though!
Thanks very much John for your useful advice. What I'm going to do is spend
ages playing with httperf, although I think we'll end up going with a hardware
accelerator. I am very grateful for your warning about IE - I think that
wouldn't have occured to me until after the real performance was much worse than
my teseting performance, which would have been caused a lot of problems for me.
I think we'll probably end up with a hardware accelerator, althogh I have a lot
of httperf tests to make first.
Thanks once again,
Bill.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
