Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the point of the Haproxy entry? It doesn't support SSL by design, and can be coulpled with a dedicated SSL proxy if needed.


I use haproxy to terminate the TLS of a number of sites, I'd say the support is pretty stellar :)

    $ ./cipherscan jve.linuxwall.info
    ........................
    Target: jve.linuxwall.info:443

    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-384,384bits  secp384r1
    2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-384,384bits  secp384r1
    3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
    4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
    5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-384,384bits  secp384r1
    6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits  secp384r1
    7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-384,384bits  secp384r1
    8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits  secp384r1
    9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
    10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
    12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    13    AES128-GCM-SHA256            TLSv1.2                None                None
    14    AES256-GCM-SHA384            TLSv1.2                None                None
    15    AES128-SHA256                TLSv1.2                None                None
    16    AES256-SHA256                TLSv1.2                None                None
    17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    18    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    19    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    20    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
    21    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    22    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
    23    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

    Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: 300
    OCSP stapling: supported
    Cipher ordering: server


haproxy 1.5 supports SSL, and some people do use it as a frontend now.

A single core process won't be able to keep up with SSL handshakes though, since one core can only do around 500 RSA 2048-bit sign/s. Session resumption will help a lot, but I would still want to distribute RSA operations over multiple cores.


haproxy has had multiple process support for quite some time.

... It does introduce some unique side effects but it's possible

also aesni should increase your ssl handshakes (if the cpu supports it)


> also aesni should increase your ssl handshakes (if the cpu supports it)

SSL handshakes are primarily dependent on asymmetric key negotiation (i.e, RSA), which isn't accelerated by AESNI.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: