On 04/12/2015 03:03, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf >> Of Ron Croonenberg >> Sent: Thursday, December 03, 2015 18:35 >> To: openssl-users at openssl.org >> Subject: Re: [openssl-users] explicitly including other ciphers. >> >> The network is isolated from the outside worl, BUT we still need >> authentication because different users are using it. >> >> So what I preferably want is sort of a set up where, >> authentication is done the "standard way" and after that just use the >> https connection without the overhead of actually encrypting anything. >> (and the lesss modifications and recompiling the better) > So rather than connecting directly to Apache, how about connecting to a TLS proxy like stunnel, which would then connect to Apache over vanilla HTTP. Configure Apache to only bind to loopback addresses (127/8 and/or ::1), so no one can bypass the proxy. > > That's assuming stunnel doesn't also play silly buggers with the cipher suite list. > Wouldn't that extra hop via stunnel cost performance (noting that Ron is apparently running at faster than gigabit speed). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
