Re: HTTPs web-balancing

Some thoughts as you requested:

Loadbalancers and http/s often relate for
*) SSL offloading (decrypt the traffic, and sometime reëncrypt)
*) Balancing traffic (used for priorisation, Qos)
*)Stickyness
*) Failover mechanism

There is also a distinction using loadbalancers in http/s for
*)only server certificates
*)client certificates

Solutions exist either from the HW proxy world (bluecoat), SW proxy
(apache mod_balance), balance, Network (css)

Problems:
* I guess the problem you are refering to is that if loadbalancers
integrate at the real http/s layer that they work like a sort Man in the
middle.
When you take the whole chain server AND client certificates this is
indeed a problem. Only server certificates does not pose that much of a
problem because
you can install the same certificate on the loadbalancers. For SSL
client certifactes normally termination needs to be done on the http/s
webserver itself.
Vendors solve this by doing the reading of the client DN in the
certificate and passing it via an http-header to the backend . But
online checking with CRL's and OCSP are often not integrated.

*Stickyness in an SSL session: these loadbalancers can see the SSL
sessions but these tend to negotiated differently based on the browser type

*Buffering and delays: the introduction of http/s through a
loadbalancer can cause some latency problems in case a lot of small
packets are encrypted/decrypted. Have a look in google 'nagle algoritm'




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of MARTIN Benoni
Sent: Thursday, August 09, 2007 11:55 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: HTTPs web-balancing

Hi !

Anyone has experiencied load-balancing with https ? Some guys say it's
possible, other say no. Some vendors say yes, some friends say no :(.
I'm quite lost !

Thx !