> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Ron Croonenberg > Sent: Thursday, December 03, 2015 18:35 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] explicitly including other ciphers. > > The network is isolated from the outside worl, BUT we still need > authentication because different users are using it. > > So what I preferably want is sort of a set up where, > authentication is done the "standard way" and after that just use the > https connection without the overhead of actually encrypting anything. > (and the lesss modifications and recompiling the better) So rather than connecting directly to Apache, how about connecting to a TLS proxy like stunnel, which would then connect to Apache over vanilla HTTP. Configure Apache to only bind to loopback addresses (127/8 and/or ::1), so no one can bypass the proxy. That's assuming stunnel doesn't also play silly buggers with the cipher suite list. -- Michael Wojcik Technology Specialist, Micro Focus
