[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL, SSL/TLS, and load balancing





--On Monday, May 03, 2004 1:24 PM -0700 Donn Cave <donn@u.washington.edu> wrote:


Our HTTP service is software load balanced, and seems to manage
without wildcards.  I believe the server is configured with its
hostname for SSL, separately from its hostname for TCP bind.
That would make direct access via the canonical host name difficult,
unless you wanted to use a separate non-standard service port for it.

Yes, our HTTP service is also load balanced... If you work with RL Bob Morgan, it wouldn't surprise me if the software you are using is the same we are using...


When we initially went to deploy OpenLDAP, we experimented with the certs and software load balancing, without much luck... perhaps I should do it some more.

If it's feasible - if you have full control over development or
deployment of the client software - I would think about resolving
the address ahead of time and never letting SSL hear about
ldap.stanford.edu.
If you verify that the canonical host is a reasonably likely cluster
member, I don't think this would compromise security, but I'm not an
SSL whiz.

We also use wildcard certificates (for IMAP/POP), and that isn't fun.
Vendors want to make sure the wildcard isn't cutting into their revenue
stream by letting you secure your whole site on one certificate.  I
would be sorry to see this become the standard route to dealing with
load balancing (which I should be looking into myself - already have
the load balance name, so the next step is to make it work.)

Check out InstantSSL, they have manageable rates at least. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html