Re: HTTPs web-balancing

[Patrick Debois <Patrick.Debois () jedi be>]

Some thoughts as you requested:

Loadbalancers and http/s often relate for
*) SSL offloading (decrypt the traffic, and sometime reëncrypt)
*) Balancing traffic (used for priorisation, Qos)
*)Stickyness
*) Failover mechanism

There is also a distinction using loadbalancers in http/s for
*)only server certificates
*)client certificates

Solutions exist either from the HW proxy world (bluecoat), SW proxy
(apache mod_balance), balance,  Network (css)

Problems:
* I guess the problem you are refering to is that if loadbalancers
integrate at the real http/s layer that they work like a sort Man in the
middle.
When you take the whole chain server AND client certificates this is
indeed a problem. Only server certificates does not pose that much of a
problem because
you can install the same certificate on the loadbalancers. For SSL
client certifactes normally termination needs to be done on the http/s
webserver itself.
Vendors solve this by doing the reading of the client DN in the
certificate and passing it via an http-header to the backend . But
online checking with CRL's and OCSP are often not integrated.

*Stickyness in an SSL session: these loadbalancers can see the SSL
sessions but these tend to negotiated differently based on the browser type

*Buffering and delays:  the  introduction of http/s through a
loadbalancer can  cause some latency problems in case a lot of small
packets are encrypted/decrypted. Have a look  in google 'nagle algoritm'




> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of MARTIN Benoni
> Sent: Thursday, August 09, 2007 11:55 AM
> To: security-basics () securityfocus com
> Subject: HTTPs web-balancing
>
> Hi !
>
> Anyone has experiencied load-balancing with https ? Some guys say it's
> possible, other say no. Some vendors say yes, some friends say no :(.
> I'm quite lost !
>
> Thx !
>