Date post: | 11-Aug-2015 |
Category: |
Documents |
Upload: | varnish-software |
View: | 57 times |
Download: | 3 times |
What is TLS• TLS provides a general purpose
secure transport channel between two computers.
• It runs on top of TCP and below HTTP
• The result is HTTPS or HTTP over TLS
Why is there no TLS support in Varnish Cache?• There are no good TLS
implementations
• Writing a new one takes at least a year
• Requires a lot of math skills
• But sometimes you just have to …..
Client side details• TLS Proxy (hitch) packaged in Varnish Plus
• Built on code originally written by Bump, later worked on by WhatsApp
• Fast, scalable code. ~3000/conns per core
• Event-driven (libev), one process per CPU
Changes from stud
• TLS v1.0, TLS v1.1 and TLS v1.2 support.
• Support for SNI added.
• Support PROXYv1 and PROXYv2 protocol to origin.
• Multiple listening sockets with possibly different default key/certificate.
• Wildcard certificates are supported. (with and without SNI.)
• SSL3.0 must now be enabled explicitly.
• Autoconf build
Backend side details
• Built directly into varnishd
• Add .ssl = true to backend in order to use TLS (yes, I know it says SSL)
• 4.1 code will be modular