On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion <champio...@gmail.com> wrote:
> On 12/07/2015 05:06 PM, William A Rowe Jr wrote: > >> On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg <r...@lanl.gov >> <mailto:r...@lanl.gov>> wrote: >> >> Hello, >> >> I a building a storage system, using HTTP/HTTPS for ingesting data. >> >> I would like to use the authentication over HTTPS, while after that >> I want no encryption on the data because of peformance. >> >> >> Then you probably don't understand the performance impact of TLS. >> > > To help Ron out a little... he's coming from this conversation [1] on the > openssl-users mailing list, where he's described his rather unusual network > topology already. > > I'm still unsure as to whether or not his proposed solution is secure... > but I am convinced that his use case is atypical. It should be straightforward to patch mod_ssl to accept null ciphers, for such an unusual use case, but it isn't something we would likely accept in the ASF distribution for the reasons I outlined. > Otherwise, >> any man-in-the-middle can observe the data in transit and alter >> the data passed between your client and backend storage server >> > > Wait, why does the use of NULL encryption have any effect on the > authenticity/integrity characteristics of the cipher? I asserted otherwise > on openssl-users and was not corrected... > I didn't suggest it that it would. Everything *after* that handshake, in cleartext, is open for inspection or for manipulation by every link in between the user agent and server. > --Jacob > > [1] https://marc.info/?t=144900982700003&r=1&w=2
