On Wed, Apr 7, 2010 at 2:07 PM, Poul-Henning Kamp <[email protected]> wrote: > In message <[email protected]>, > Mi > chael Fischer writes: > >>What's the incompatibility with OpenSSL? > > I have two main reservations about SSL in Varnish: > > 1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000, > Adding such a massive amount of code to Varnish footprint, should > result in a very tangible benefit.
RAM is cheap. Besides, as a shared library the cost is amortized among all processes using it. > > Compared to running a SSL proxy in front of Varnish, I can see > very, very little benefit from integration. Yeah, one process > less and only one set of config parameters. > > But that all sounds like "second systems syndrome" thinking to me, > it does not really sound lige a genuine "The world would become > a better place" feature request. Well, there are a couple of benefits: (1) stunnel doesn't scale particularly well, and can't scale across multiple CPUs in any event; (2) As someone else pointed out, Varnish can only do effective logging of and access control pertaining to the peer IP if the SSL negotiation is done in-process. stunnel won't spoof the peer IP for Varnish (and arguably no secure kernel should allow it to). > But I do see some some serious drawbacks: The necessary changes > to Varnish internal logic will almost certainly hurt varnish > performance for the plain HTTP case. We need to add an inordinate > about of overhead code, to configure and deal with the key/cert > bits. I defer to your judgment on that issue. > 2. I have looked at the OpenSSL source code, I think it is a catastrophe > waiting to happen. In fact, the only thing that prevents attackers > from exploiting problems more actively, is that the source code is > fundamentally unreadable and impenetrable. Is GNU TLS any better? I've not used it. --Michael _______________________________________________ varnish-misc mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-misc
