Secure Socket LayerSSL

Transport Level SecurityTLS

What is TLS• TLS provides a general purpose

secure transport channel between two computers.

• It runs on top of TCP and below HTTP

• The result is HTTPS or HTTP over TLS

Why is there no TLS support in Varnish Cache?• There are no good TLS

implementations

• Writing a new one takes at least a year

• Requires a lot of math skills

• But sometimes you just have to …..

TLS everywhere

Client Varnish Backend

Client side Backend side

Plan

• TLS Beta in Varnish Cache Plus in May

• Production release in June

Client side details• TLS Proxy (hitch) packaged in Varnish Plus

• Built on code originally written by Bump, later worked on by WhatsApp

• Fast, scalable code. ~3000/conns per core

• Event-driven (libev), one process per CPU

Changes from stud

• TLS v1.0, TLS v1.1 and TLS v1.2 support.

• Support for SNI added.

• Support PROXYv1 and PROXYv2 protocol to origin.

• Multiple listening sockets with possibly different default key/certificate.

• Wildcard certificates are supported. (with and without SNI.)

• SSL3.0 must now be enabled explicitly.

• Autoconf build

TLS everywhere

Client Varnish BackendTLS prox

y

Backend side details

• Built directly into varnishd

• Add .ssl = true to backend in order to use TLS (yes, I know it says SSL)

• 4.1 code will be modular

Future features

• Expand TLS support

• OCSP Stapling

thanks