[openssl-users] explicitly including other ciphers.

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Dec 4 05:32:32 UTC 2015

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Jakob Bohm
> Sent: Thursday, December 03, 2015 21:11
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] explicitly including other ciphers.
> On 04/12/2015 03:03, Michael Wojcik wrote:
> > So rather than connecting directly to Apache, how about connecting to a
> TLS proxy like stunnel, which would then connect to Apache over vanilla
> HTTP. Configure Apache to only bind to loopback addresses (127/8 and/or
> ::1), so no one can bypass the proxy.
> >
> Wouldn't that extra hop via stunnel cost performance
> (noting that Ron is apparently running at faster than
> gigabit speed).

Yes, but depending on the actual application behavior, it might be negligible compared to the cost of certificate validation and the like. I don't know enough about the situation to guess whether the impact would be an issue, so I thought I'd propose this as one possible alternative.

The application might even be such that a caching proxy could be used in front of Apache for a performance gain - for example if the same content is re-read frequently and the HTTP cache control mechanisms allow it to be usefully cached.

Michael Wojcik
Technology Specialist, Micro Focus

More information about the openssl-users mailing list