Poul-Henning Kamp schrieb: > In message <[email protected]>, > Mi > chael Fischer writes: > >> What's the incompatibility with OpenSSL? > > I have two main reservations about SSL in Varnish: > > 1. OpenSSL is almost 350.000 lines of code, Varnish is only 58.000, > Adding such a massive amount of code to Varnish footprint, should > result in a very tangible benefit. > > Compared to running a SSL proxy in front of Varnish, I can see > very, very little benefit from integration. Yeah, one process > less and only one set of config parameters. > > But that all sounds like "second systems syndrome" thinking to me, > it does not really sound lige a genuine "The world would become > a better place" feature request. > > But I do see some some serious drawbacks: The necessary changes > to Varnish internal logic will almost certainly hurt varnish > performance for the plain HTTP case. We need to add an inordinate > about of overhead code, to configure and deal with the key/cert > bits. > > 2. I have looked at the OpenSSL source code, I think it is a catastrophe > waiting to happen. In fact, the only thing that prevents attackers > from exploiting problems more actively, is that the source code is > fundamentally unreadable and impenetrable. > > Unless those two issues can be addressed, I don't see SSL in Varnish > any time soon. > I don't see your Problem with that.
1. You should not include OpenSSL in varnish. Varnish should use OpenSSL. 2. There are other SSL Libraries maybe other are better suited. 3. I should be off by default and enabled by need. So it's the decision of the Admin if he uses SSL and his risk. But I really think https is a major show stopper for the use of Varnish. Regards Estartu -- ------------------------------------------------- Gerhard Schmidt | E-Mail: [email protected] TU-München | WWW & Online Services | Tel: 089/289-25270 | Fax: 089/289-25257 | PGP-Publickey auf Anfrage
signature.asc
Description: OpenPGP digital signature
_______________________________________________ varnish-misc mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-misc
