> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Jakob Bohm > Sent: Thursday, December 03, 2015 21:11 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] explicitly including other ciphers. > > On 04/12/2015 03:03, Michael Wojcik wrote: > > So rather than connecting directly to Apache, how about connecting to a > TLS proxy like stunnel, which would then connect to Apache over vanilla > HTTP. Configure Apache to only bind to loopback addresses (127/8 and/or > ::1), so no one can bypass the proxy. > > > Wouldn't that extra hop via stunnel cost performance > (noting that Ron is apparently running at faster than > gigabit speed). Yes, but depending on the actual application behavior, it might be negligible compared to the cost of certificate validation and the like. I don't know enough about the situation to guess whether the impact would be an issue, so I thought I'd propose this as one possible alternative. The application might even be such that a caching proxy could be used in front of Apache for a performance gain - for example if the same content is re-read frequently and the HTTP cache control mechanisms allow it to be usefully cached. -- Michael Wojcik Technology Specialist, Micro Focus
