SSL Accelerators

We're a poor company and are looking at ways to offload our SSL traffic.
Since we're cheap, we'd like to consider one of those PCI SSL accelerators.

What experience do you guys have with SSL accelerators? Any recommendations
or caveats?


Michael

> We're a poor company and are looking at ways to offload our SSL traffic.
> Since we're cheap, we'd like to consider one of those PCI SSL accelerators.
>
> What experience do you guys have with SSL accelerators? Any recommendations
> or caveats?

We've been playing with "network box" ones...

Pretty sweet stuff; we were able to use it to get an application
server (happened to be running AIX) to a load average of about 500,
and still be usable, in a "scary concurrency test."
--
(reverse (concatenate 'string "moc.liamg" "@" "enworbbc"))
http://cbbrowne.com/info/
If we were meant to fly, we wouldn't keep losing our luggage.

"Christopher Browne" <cbbrowne@acm.org> wrote in message
news:m3fyqdb1mi.fsf@mobile.int.cbbrowne.com...
> > We're a poor company and are looking at ways to offload our SSL traffic.
> > Since we're cheap, we'd like to consider one of those PCI SSL
accelerators.
> >
> > What experience do you guys have with SSL accelerators? Any
recommendations
> > or caveats?
>
> We've been playing with "network box" ones...

Could you explain? "Network box"? Is that a brand?

[snip]


Michael

> "Christopher Browne" <cbbrowne@acm.org> wrote in message
> news:m3fyqdb1mi.fsf@mobile.int.cbbrowne.com...
>> > We're a poor company and are looking at ways to offload our SSL traffic.
>> > Since we're cheap, we'd like to consider one of those PCI SSL
> accelerators.
>> >
>> > What experience do you guys have with SSL accelerators? Any
> recommendations
>> > or caveats?
>>
>> We've been playing with "network box" ones...
>
> Could you explain? "Network box"? Is that a brand?

F5 is the brand... They sell SSL accelerators that are add-on modules
for their "Big-IP" network management appliances. So SSL acceleration
takes place as a proxy on another box.

This has a *very* significant benefit over doing it inside your PC in
that you get the other "Big-IP" network traffic management features.
--
output = reverse("moc.enworbbc" "@" "enworbbc")
http://cbbrowne.com/info/languages.html
To quote from a friend's conference talk: "they told me that their
network was physically secure, so I asked them `then what's with all
these do-not-leave-valuables-in-your-desk signs?'".
-- Henry Spencer

Michael wrote:
> We're a poor company and are looking at ways to offload our SSL traffic.
> Since we're cheap, we'd like to consider one of those PCI SSL accelerators.
>
> What experience do you guys have with SSL accelerators? Any recommendations
> or caveats?
>
>
> Michael
>
>
You might try this adapter.
https://www.britestream.com/

Michael wrote:

> We're a poor company and are looking at ways to offload our SSL traffic.
> Since we're cheap, we'd like to consider one of those PCI SSL
> accelerators.
>
> What experience do you guys have with SSL accelerators? Any
> recommendations or caveats?
>

Looking at the history of SSL, I'd stay well clear of 'hardware' solutions
for an exposed interface.

I've found stunnel very reliable and easy to use. As a software solution,
you can run it chroot on the webserver, or on a seperate box. You say
'one'? As in you only have one webserver? In that case I'd say get a second
box to run as a webserver and run stunnel chrooted on each machine.

C.

"Colin McKinnon"
<colin.thisisnotmysurname@ntlworld.deletemeunlessU RaBot.com> wrote in
message

[snip]

Hi Colin,

> Looking at the history of SSL, I'd stay well clear of 'hardware' solutions
> for an exposed interface.
>
> I've found stunnel very reliable and easy to use. As a software solution,
> you can run it chroot on the webserver, or on a seperate box. You say
> 'one'? As in you only have one webserver? In that case I'd say get a
second
> box to run as a webserver and run stunnel chrooted on each machine.

Thanks for the reply. We actually have five web servers and considered
stunnel, but... Gosh, does that scale well? I'd actually love to just do
stunnel and will now give it a shot due to your suggestion (i.e. if you
suggest it, it must mean that other people must be at least trying it too).

Doing the SSL acceleration on our load balancer has been just way too slow,
but perhaps if we offloaded to each individual server via stunnel we'd be
ok.


Michael

> Michael wrote:
>
>> We're a poor company and are looking at ways to offload our SSL traffic.
>> Since we're cheap, we'd like to consider one of those PCI SSL
>> accelerators.
>>
>> What experience do you guys have with SSL accelerators? Any
>> recommendations or caveats?
>>
>
> Looking at the history of SSL, I'd stay well clear of 'hardware' solutions
> for an exposed interface.
>
> I've found stunnel very reliable and easy to use. As a software solution,
> you can run it chroot on the webserver, or on a seperate box. You say
> 'one'? As in you only have one webserver? In that case I'd say get a second
> box to run as a webserver and run stunnel chrooted on each machine.

But the reason to be interested in SSL accelerators is the fact that
they, well, accelerate it.

I'll buy the story that it's better to separate it to another host,
but "stunnel" won't get you one iota of hardware acceleration, which
was the point of the exercise in the first place.
--
output = ("cbbrowne" "@" "gmail.com")
http://linuxdatabases.info/info/x.html
Rules of the Evil Overlord #187. "I will not hold lavish banquets in
the middle of a famine. The good PR among the guests doesn't make up
for the bad PR among the masses." <http://www.eviloverlord.com/>