Re: SSL best option for new deployments

2011-12-13 Thread Vincent Bernat
OoO La nuit ayant déjà recouvert d'encre ce jour du mardi 13 décembre 2011, vers 23:20, "Brane F. Gračnar" disait : > It also uses much less memory than stunnel (openssl >= 1.x.x). stunnel has also enabled the SSL_MOD_RELEASE_BUFFERS on recent versions (since 4.45). I think this would amend

Re: SSL best option for new deployments

2011-12-13 Thread Vincent Bernat
OoO La nuit ayant déjà recouvert d'encre ce jour du mardi 13 décembre 2011, vers 23:43, "John Lauro" disait : > Found this with google comparing the two (only a few months old): > http://vincent.bernat.im/en/blog/2011-ssl-benchmark.html > In summary, performance appears to be close as long as

Re: SSL best option for new deployments

2011-12-13 Thread Baptiste
ot;Brane F. Gračnar" [mailto:brane.grac...@tsmedia.si] >> Sent: Tuesday, December 13, 2011 5:21 PM >> To: David Prothero >> Cc: John Lauro; haproxy@formilux.org >> Subject: Re: SSL best option for new deployments >> >> On 12/13/2011 10:43 PM, David Prothero wrote:

RE: SSL best option for new deployments

2011-12-13 Thread John Lauro
, newer version of stunnel probably perform better. > -Original Message- > From: "Brane F. Gračnar" [mailto:brane.grac...@tsmedia.si] > Sent: Tuesday, December 13, 2011 5:21 PM > To: David Prothero > Cc: John Lauro; haproxy@formilux.org > Subject: Re: SSL bes

Re: SSL best option for new deployments

2011-12-13 Thread Brane F. Gračnar
On 12/13/2011 10:43 PM, David Prothero wrote: > I've been using stunnel with the X-Forwarded-For patch. Is stud preferable to > stunnel for some reason? Stunnel usually uses thread-per-connection architecture - as you probably know this programming model has serious scaling issues. Stud is single

RE: SSL best option for new deployments

2011-12-13 Thread David Prothero
ubject: Re: SSL best option for new deployments On 12/13/2011 09:02 PM, John Lauro wrote: > Been using haproxy for some time… but have not used it with SSL yet. > > I do need to preserve the IP address of the original client. So > either transparent (is that possible when going thro

Re: SSL best option for new deployments

2011-12-13 Thread Brane F. Gračnar
On 12/13/2011 09:02 PM, John Lauro wrote: > Been using haproxy for some time… but have not used it with SSL yet. > > I do need to preserve the IP address of the original client. So either > transparent (is that possible when going through stunnel or other and > haproxy on the same box), or X-For

SSL best option for new deployments

2011-12-13 Thread John Lauro
Been using haproxy for some time. but have not used it with SSL yet. What is the best option to implement SSL? There seems to be several options, some requiring 1.5 (which isn't exactly ideal as 1.5 isn't considered stable yet). I do need to route based on the incoming request, so decode