Marc Bodenm?ller wrote: > we do have some kind of 'ApplicationServer' that runs on Solaris and does > not support ssl on its own and are planning to add a kssl proxy in front of > it to make it handle SSL traffic. > > Now this ApplicationServer itself also makes calls to the outside, especially > LDAP. We need to support LDAPS (against ActiveDirectory) therefore using the > same proxy approach with kssl would save us some risky development efford. > > So can kssl be used to encrypt outbound traffic just like it can be used for > inbound traffic?
I assume you are asking if KSSL can act as a SSL client. If so, the answer is no. Typically, SSL client side does not benefit much from better SSL/crypto performance as there is a single long-living SSL session and the packets are small in size. Hence it was not a priority for KSSL. Please file an RFE if you would like to see this functionality in KSSL. > This is possible with tunneling solutions like stunnel. However we would > like to avoid the installation of additional software if it works without as > well. KSSL especially looks more promising than other solutions because it > does support sun's crypto-hardware. > Yes. Note also that even without any crypto hardware, KSSL shows better performance (compared to a SSL server that uses a user level SSL library) since we reduce the number of user to kernel (and kernel to user) trips. Regards, -Krishna
