> So... what are you trying to say?
> This slightly improved security is not worth the setup hassle?
>
> So why do YOU run it this way? ;)
First of all, it isn't necessary to use the SSL_EXPERIMENTAL code to get
this to work.
Secondly, we do things this way because of our network topology. We have a
few real IP addresses, and our own internal addressing system. So this
method allows public access to internal addresses without giving direct
access to them. Additionally, we don't have to resort to external name based
hosts (although we do use them internally). This would exclude anyone with a
non-http 1.1 compliant browser, and we don't wish to exclude anyone.
I would say that this is a lot more than "slightly" improved security, and
yes, it is definitely worth the hassle. IMHO this is probably one of the
better options.
No-one can guarantee absolute security other than disconnecting completely
from the Internet, because someone somewhere could potentially find a way
into one of your systems.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
