[openssl-dev] F5 termination of TCP connection
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jun 1 16:56:11 UTC 2015
On Mon 2015-06-01 07:36:01 -0400, Krzysztof Kwiatkowski wrote:
> Yes, that's exactly what we do in our configuration. We have 24 servers
> with rather high workload. SSL is offloaded on F5 load balancer and
> servers behind load balancers receive decrypted traffic.
>
> I'm not aware of any performance issues. And in fact it's quite good
> idea as server itself doesn't need to know anything about TLS/SSL
> protocol.
... And the network connecting the load balancers to the backend
servers is completely physically secured, has no untrusted devices
connected to it anywhere, and all the backend servers completely trust
each other to avoid snooping or interfering with each others' traffic
... right?
When describing deployment configurations, please don't omit the
infrastructure and threat-model requirements for doing this kind of
deployment securely and responsibly. You might think it goes without
saying, but a couple sentences of reminder don't hurt.
Or, as the powerpoint slide said: "SSL added and removed here ;)" [0]
--dkg
[0] https://www.agwa.name/blog/post/cloudflare_ssl_added_and_removed_here
More information about the openssl-dev
mailing list