Re: Mandatory encryption

On Thu, Jul 19, 2012 at 10:08:04AM +0000, Poul-Henning Kamp wrote:
> In message <20120719093901.GB16208@1wt.eu>, Willy Tarreau writes:
> 
> >TLS is a valid transport [...]
> 
> Am I the only one who think we should be able to mix protected
> and unprotected transactions on the same TCP stream ?

No you're not the only one, I like it too, as well as I'd like to
ensure that websocket and HTTP can share the same TCP connection
as well.

> I really don't see why the user should have to open a new connection
> just because they want to log into a site, and it would allow
> proxies, gateways and routers to use fewer connections more
> efficiently.

In fact, mixing streams saves TCP connections. However, processing
encryption on a stream is always expensive as it requires data copy
at the software level.

If we one day support datagram-based transport (which I hope for
many reasons), then I'd favor splitting the streams so that we can
rely on the NIC's ability to encrypt datagrams at a zero cost.

Regards,
Willy

Received on Thursday, 19 July 2012 10:17:40 UTC