Re: OL, SSL/TLS, and load balancing

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Monday, May 03, 2004 1:24 PM -0700 Donn Cave <donn@u.washington.edu> 
wrote:


> Our HTTP service is software load balanced, and seems to manage
> without wildcards.  I believe the server is configured with its
> hostname for SSL, separately from its hostname for TCP bind.
> That would make direct access via the canonical host name difficult,
> unless you wanted to use a separate non-standard service port for it.

Yes, our HTTP service is also load balanced... If you work with RL Bob 
Morgan, it wouldn't surprise me if the software you are using is the same 
we are using...

When we initially went to deploy OpenLDAP, we experimented with the certs 
and software load balancing, without much luck... perhaps I should do it 
some more.

> If it's feasible - if you have full control over development or
> deployment of the client software - I would think about resolving
> the address ahead of time and never letting SSL hear about
> ldap.stanford.edu.
> If you verify that the canonical host is a reasonably likely cluster
> member, I don't think this would compromise security, but I'm not an
> SSL whiz.
>
> We also use wildcard certificates (for IMAP/POP), and that isn't fun.
> Vendors want to make sure the wildcard isn't cutting into their revenue
> stream by letting you secure your whole site on one certificate.  I
> would be sorry to see this become the standard route to dealing with
> load balancing (which I should be looking into myself - already have
> the load balance name, so the next step is to make it work.)

Check out InstantSSL, they have manageable rates at least. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html